🪻 distributed transcription service
thistle.dunkirk.sh
chore: update csp and security headers
+27
-8
+27
src/index.ts
+27
src/index.ts
···
3439
3439
hmr: true,
3440
3440
console: true,
3441
3441
},
3442
+
fetch(req, server) {
3443
+
const response = server.fetch(req);
3444
+
3445
+
// Add security headers to all responses
3446
+
if (response instanceof Response) {
3447
+
const headers = new Headers(response.headers);
3448
+
headers.set("Permissions-Policy", "interest-cohort=()");
3449
+
headers.set("X-Content-Type-Options", "nosniff");
3450
+
headers.set("X-Frame-Options", "DENY");
3451
+
headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
3452
+
3453
+
// Set CSP that allows inline styles with unsafe-inline (needed for Lit components)
3454
+
// and script-src 'self' for bundled scripts
3455
+
headers.set(
3456
+
"Content-Security-Policy",
3457
+
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none';"
3458
+
);
3459
+
3460
+
return new Response(response.body, {
3461
+
status: response.status,
3462
+
statusText: response.statusText,
3463
+
headers,
3464
+
});
3465
+
}
3466
+
3467
+
return response;
3468
+
},
3442
3469
});
3443
3470
console.log(`🪻 Thistle running at http://localhost:${server.port}`);
3444
3471
-1
src/pages/admin.html
-1
src/pages/admin.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Admin - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/checkout.html
-1
src/pages/checkout.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Success! - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/class.html
-1
src/pages/class.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Class - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/classes.html
-1
src/pages/classes.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Classes - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/index.html
-1
src/pages/index.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/reset-password.html
-1
src/pages/reset-password.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Reset Password - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/settings.html
-1
src/pages/settings.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Settings - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/transcribe.html
-1
src/pages/transcribe.html
···
4
4
<head>
5
5
<meta charset="UTF-8">
6
6
<meta name="viewport" content="width=device-width, initial-scale=1.0">
7
-
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">
8
7
<title>Transcribe - Thistle</title>
9
8
<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">
10
9
<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">