security headers

2026-02-08 02:33:01 +00:00 · 2026-01-09 04:53:05 +00:00
parent 21655c2b73
commit ad138059db
1 changed files with 9 additions and 0 deletions
--- a/packages/backend/src/auth/middleware.ts
+++ b/packages/backend/src/auth/middleware.ts
@@ -89,6 +89,11 @@ const buildCorsHeaders = (req: Request) => {
 export const withCors = <T extends BunRequest>(handler: RouteHandler<T>): RouteHandler<T> => {
    return async (req: T) => {
        const corsHeaders = buildCorsHeaders(req);
+        const securityHeaders = new Headers();
+        securityHeaders.set("X-Content-Type-Options", "nosniff");
+        securityHeaders.set("X-Frame-Options", "DENY");
+        securityHeaders.set("X-XSS-Protection", "1; mode=block");
+        securityHeaders.set("Referrer-Policy", "strict-origin-when-cross-origin");

        if (req.method === "OPTIONS") {
            return new Response(null, { status: 204, headers: corsHeaders });
@@ -101,6 +106,10 @@ export const withCors = <T extends BunRequest>(handler: RouteHandler<T>): RouteH
            wrapped.headers.set(key, value);
        });

+        securityHeaders.forEach((value, key) => {
+            wrapped.headers.set(key, value);
+        });
+
        return wrapped;
    };
 };