added security headers

updated svelte
updated bun and packages
2025-06-18 14:50:54 +02:00 · 2025-06-16 13:50:57 +02:00 · 2025-06-10 00:24:27 +02:00
4 changed files with 31 additions and 9 deletions
--- a/bun.lockb
+++ b/bun.lockb
--- a/package.json
+++ b/package.json
@ -4,15 +4,15 @@
 	"devDependencies": {
 		"@sveltejs/adapter-auto": "^3.3.1",
 		"@sveltejs/adapter-node": "^5.2.12",
-		"@sveltejs/kit": "^2.20.4",
-		"@sveltejs/vite-plugin-svelte": "^5.0.3",
-		"@types/bun": "^1.2.10",
+		"@sveltejs/kit": "^2.21.5",
+		"@sveltejs/vite-plugin-svelte": "^5.1.0",
+		"@types/bun": "^1.2.16",
 		"@types/sqlite3": "^3.1.11",
-		"svelte": "^5.25.6",
+		"svelte": "^5.34.3",
 		"svelte-adapter-bun": "^0.5.2",
-		"svelte-check": "^4.1.5",
-		"typescript": "^5.8.2",
-		"vite": "^6.2.5"
+		"svelte-check": "^4.2.1",
+		"typescript": "^5.8.3",
+		"vite": "^6.3.5"
 	},
 	"private": true,
 	"scripts": {
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@ -42,6 +42,13 @@ process.on('SIGINT', (_) => {
 export let handle: Handle = async function ({ event, resolve }) {

 	console.log("incoming ", event.request.method, " request to: ", event.url.href, " (route id: ", event.route.id, ")");
+
+	event.setHeaders({
+		//"Strict-Transport-Security": "max-age=63072000; includeSubdomains; preload",
+		"X-Frame-Options": "Deny",
+		"X-Content-Type-Options": "nosniff",
+		"Referrer-Policy": "strict-origin-when-cross-origin"
+	})
 	
 	if (event.route.id == null) {
 		return error(404, "This page does not exist.");
--- a/svelte.config.js
+++ b/svelte.config.js
@ -11,10 +11,25 @@ const config = {
 		// adapter-auto only supports some environments, see https://svelte.dev/docs/kit/adapter-auto for a list.
 		// If your environment is not supported, or you settled on a specific environment, switch out the adapter.
 		// See https://svelte.dev/docs/kit/adapters for more information about adapters.
-		adapter: adapter()
+		adapter: adapter(),
+		
+		csp: {
+			mode: 'auto',
+			directives: {
+				'default-src': ['self'],
+				'script-src': ['self'],
+			},
+			// must be specified with either the `report-uri` or `report-to` directives, or both
+			reportOnly: {
+				'script-src': ['self'],
+				'report-uri': ['/']
+			}
+		}
 	},

-	warningFilter: (warning) => !warning.code.startsWith('a11y')
+	checkOrigin: true,
+
+	//warningFilter: (warning) => !warning.code.startsWith('a11y')
 };

 export default config
Author	SHA1	Message	Date
Patrick	945b49c467	added security headers	2025-06-18 14:50:54 +02:00
Patrick	4292391031	updated svelte	2025-06-16 13:50:57 +02:00
Patrick	e96cc9b7a3	updated bun and packages	2025-06-10 00:24:27 +02:00