dunkirk.sh / hn-alerts
this repo has no description
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore: fix csp

Kieran Klukas ac4fd2ed 2c7d7164

+44 -20
+2 -1
src/index.ts
··· 19 19 const isProduction = process.env.NODE_ENV === "production"; 20 20 21 21 const environment = process.env.NODE_ENV; 22 + 22 23 // Only compute git commit in development, use a constant in production to avoid process spawn 23 24 const commit = isProduction 24 25 ? "production" ··· 91 92 const server = Bun.serve({ 92 93 port: process.env.PORT || 3000, 93 94 reusePort: true, 94 - maxRequestBodySize: 1024 * 1024, // 1MB max request size 95 + maxRequestBodySize: 1024 * 1024, 95 96 routes: { 96 97 "/": root, 97 98 // Apply CORS to all API routes
+8 -19
src/libs/cors.ts
··· 1 1 /** 2 2 * CORS configuration for the application 3 - * This adds support for Cloudflare Insights specifically 4 3 */ 5 4 6 5 // Pre-defined CORS headers for better performance ··· 11 10 Vary: "Origin", 12 11 }; 13 12 14 - // Allowed origins for CORS 15 - const ALLOWED_ORIGINS = [ 16 - "https://static.cloudflareinsights.com", 17 - "https://cloudflareinsights.com", 18 - ]; 13 + // Allowed origins for CORS - can be expanded as needed 14 + const ALLOWED_ORIGINS: string[] = []; 19 15 20 16 /** 21 - * Adds CORS headers to allow Cloudflare Insights 17 + * Adds CORS headers to a response 22 18 * @param response The response to add CORS headers to 23 19 * @param origin The request origin to use for Access-Control-Allow-Origin 24 20 * @returns A new response with added CORS headers 25 21 */ 26 - function addCloudflareInsightsCors( 22 + function addCorsHeaders( 27 23 response: Response, 28 24 origin: string, 29 25 ): Response { ··· 53 49 function handleCorsPreflightRequest(req: Request): Response { 54 50 const origin = req.headers.get("Origin"); 55 51 56 - // Fast path: if origin is not in allowed list, return minimal response 57 - if (!origin || !ALLOWED_ORIGINS.includes(origin)) { 52 + // If no origin or not in allowed list (if any are specified) 53 + if (!origin || (ALLOWED_ORIGINS.length > 0 && !ALLOWED_ORIGINS.includes(origin))) { 58 54 return new Response(null, { status: 204 }); 59 55 } 60 56 ··· 73 69 74 70 /** 75 71 * Higher-order function that adds CORS support to a request handler 76 - * Specifically configured for Cloudflare Insights requests 77 72 * @param handler The original request handler function 78 73 * @returns A new handler function with CORS support added 79 74 */ 80 75 export function handleCORS( 81 76 handler: (req: Request) => Response | Promise<Response>, 82 77 ): (req: Request) => Promise<Response> { 83 - // Cache response for OPTIONS requests 84 - const cachedOptionsResponse = new Response(null, { 85 - status: 204, 86 - headers: CORS_HEADERS, 87 - }); 88 - 89 78 return async (req: Request) => { 90 79 // Fast path for OPTIONS - most common CORS request 91 80 if (req.method === "OPTIONS") { ··· 96 85 const origin = req.headers.get("Origin"); 97 86 98 87 // Fast path for non-CORS requests 99 - if (!origin || !ALLOWED_ORIGINS.includes(origin)) { 88 + if (!origin || (ALLOWED_ORIGINS.length > 0 && !ALLOWED_ORIGINS.includes(origin))) { 100 89 return handler(req); 101 90 } 102 91 103 92 // Process the request normally then add CORS headers 104 93 const response = await handler(req); 105 - return addCloudflareInsightsCors(response, origin); 94 + return addCorsHeaders(response, origin); 106 95 }; 107 96 }
+34
src/libs/headers/index.ts
··· 1 + /** 2 + * Security headers for the application 3 + * 4 + * This module contains header configurations for Content Security Policy 5 + * and other security-related headers 6 + */ 7 + 8 + import type { HeadersInit } from "bun"; 9 + 10 + // CSP directives to allow necessary resources while maintaining security 11 + export const contentSecurityPolicy = 12 + "default-src 'self'; " + 13 + "script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; " + 14 + "style-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; " + 15 + "img-src 'self' https://cachet.dunkirk.sh https://emoji.slack-edge.com *.slack-edge.com data:; " + 16 + "connect-src 'self'; " + 17 + "frame-src 'self';"; 18 + 19 + // Standard security headers for all responses 20 + export const securityHeaders = { 21 + "Content-Security-Policy": contentSecurityPolicy, 22 + "Referrer-Policy": "strict-origin-when-cross-origin", 23 + "X-Content-Type-Options": "nosniff", 24 + "X-Frame-Options": "DENY", 25 + "X-XSS-Protection": "1; mode=block", 26 + }; 27 + 28 + // Function to get headers for the main HTML page 29 + export function getHtmlResponseHeaders(): HeadersInit { 30 + return { 31 + "Content-Type": "text/html", 32 + ...securityHeaders, 33 + }; 34 + }