Lasa is a stateless proxy that generates a RSS or an Atom feed from a Standard.site publication.
lasa.anhgelus.world
rss
atom
atprotocol
standard-site
atproto
feat(server): security headers
+25
+24
cmd/internal/mux.go
+24
cmd/internal/mux.go
···
5
5
"errors"
6
6
"fmt"
7
7
"log/slog"
8
+
"math"
8
9
"net/http"
9
10
"slices"
10
11
"time"
···
95
96
}
96
97
}
97
98
}
99
+
100
+
func MiddlewareHeaders(domain string, cacheDur time.Duration) Middleware {
101
+
if cacheDur == 0 {
102
+
cacheDur = 15 * time.Minute
103
+
}
104
+
return func(next Handler, w *StatusWriter, r *http.Request) {
105
+
// prevent tracking
106
+
w.Header().Add("Referrer-Policy", "strict-origin-when-cross-origin")
107
+
// prevent iframe
108
+
w.Header().Add("X-Frame-Options", "deny")
109
+
// prevent bad content being parsed
110
+
w.Header().Add("X-Content-Type-Options", "nosniff")
111
+
w.Header().Add("X-Permitted-Cross-Domain-Policies", "none")
112
+
// content security, cors & co
113
+
w.Header().Add("Content-Security-Policy", "default-src 'self' https://*."+domain+"; object-src 'none';")
114
+
w.Header().Add("Access-Control-Allow-Origin", "https://"+domain)
115
+
w.Header().Add("Cross-Origin-Resource-Policy", "same-origin")
116
+
// caching
117
+
w.Header().Add("Access-Control-Max-Age", fmt.Sprintf("%.0f", math.Floor(cacheDur.Seconds())))
118
+
119
+
next(w, r)
120
+
}
121
+
}
+1
cmd/lasad/server/run.go
+1
cmd/lasad/server/run.go
···
96
96
97
97
next(w, r.WithContext(ctx))
98
98
})
99
+
m.Use(internal.MiddlewareHeaders(cfg.Domain, dur))
99
100
m.Use(internal.MiddlewareLog(func(ctx context.Context) context.CancelCauseFunc {
100
101
return ctx.Value(keyCancelCause).(context.CancelCauseFunc)
101
102
}, cfg.LogNotFound, cfg.LogBadRequest))