added security headers

src/hooks.server.ts

@@ -42,6 +42,13 @@ process.on('SIGINT', (_) => {
 export let handle: Handle = async function ({ event, resolve }) {
 
 	console.log("incoming ", event.request.method, " request to: ", event.url.href, " (route id: ", event.route.id, ")");
+
+	event.setHeaders({
+		//"Strict-Transport-Security": "max-age=63072000; includeSubdomains; preload",
+		"X-Frame-Options": "Deny",
+		"X-Content-Type-Options": "nosniff",
+		"Referrer-Policy": "strict-origin-when-cross-origin"
+	})
 	
 	if (event.route.id == null) {
 		return error(404, "This page does not exist.");

svelte.config.js

@@ -11,10 +11,25 @@ const config = {
 		// adapter-auto only supports some environments, see https://svelte.dev/docs/kit/adapter-auto for a list.
 		// If your environment is not supported, or you settled on a specific environment, switch out the adapter.
 		// See https://svelte.dev/docs/kit/adapters for more information about adapters.
-		adapter: adapter()
+		adapter: adapter(),
+		
+		csp: {
+			mode: 'auto',
+			directives: {
+				'default-src': ['self'],
+				'script-src': ['self'],
+			},
+			// must be specified with either the `report-uri` or `report-to` directives, or both
+			reportOnly: {
+				'script-src': ['self'],
+				'report-uri': ['/']
+			}
+		}
 	},
 
-	warningFilter: (warning) => !warning.code.startsWith('a11y')
+	checkOrigin: true,
+
+	//warningFilter: (warning) => !warning.code.startsWith('a11y')
 };
 
 export default config