jake/jarv.is
1
Fork 0
mirror of https://github.com/jakejarvis/jarv.is.git synced 2025-07-03 18:06:38 -04:00
Code Issues Activity

simplified cloudflare worker for security headers

Browse Source
This commit is contained in:
Jake Jarvis
2019-08-13 11:07:21 -04:00
parent 8b8005ec1d
commit 4572122d4a
2 changed files with 46 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
content/notes/security-headers-cloudflare-workers/index.md
View File

@ -28,7 +28,7 @@ If you run your own server, these can be added by way of your Apache or nginx co
The following script can be added as a Worker and customized to your needs. Some can be extremely picky with syntax, so be sure to [read the documentation](https://www.netsparker.com/whitepaper-http-security-headers/) carefully. You can fiddle with it in [the playground](https://cloudflareworkers.com/), too. Simply modify the current headers to your needs, or add new ones to the `newHeaders` or `removeHeaders` arrays.
```js
let newHeaders = {
let addHeaders = {
"Content-Security-Policy": "default-src 'self'; upgrade-insecure-requests",
"Strict-Transport-Security": "max-age=1000",
"X-XSS-Protection": "1; mode=block",
@ -45,30 +45,32 @@ let removeHeaders = [
]
addEventListener("fetch", event => {
event.respondWith(addHeaders(event.request))
event.respondWith(fetchAndApply(event.request))
})
async function addHeaders(req) {
let response = await fetch(req)
let responseHeaders = new Headers(response.headers)
async function fetchAndApply(req) {
// Fetch the original page from the origin
let response = await fetch(request)
Object.keys(newHeaders).map(function(name, index) {
responseHeaders.set(name, newHeaders[name])
// Make response headers mutable
response = new Response(response.body, response)
// Set each header in addHeaders
Object.keys(addHeaders).map(function(name, index) {
response.headers.set(name, addHeaders[name])
})
// Delete each header in removeHeaders
removeHeaders.forEach(function(name){
responseHeaders.delete(name)
response.headers.delete(name)
})
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: responseHeaders
})
// Return the new mutated page
return response
}
```
Once you're done, you can analyze your website's headers and get a letter grade with [Scott Helme](https://scotthelme.co.uk/)'s awesome [Security Headers](https://securityheaders.com/) tool. His free [Report-URI](https://report-uri.com/) service is another great companion tool to monitor these headers and report infractions your users run into in the wild.
You can view my website's [full Worker script here](https://git.jarv.is/jake/jarv.is/blob/master/worker.js) and check out [the resulting A+ grade](https://securityheaders.com/?q=https%3A%2F%2Fjarv.is%2F)!
You can view my website's [full Worker script here](https://git.jarv.is/jake/jarv.is/blob/master/worker.js) and check out [the resulting A+ grade](https://securityheaders.com/?q=https%3A%2F%2Fjarv.is%2F)!