UNPKG

@networkpro/web

Version:

Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies

netwk.pro

netwk-pro/netwk-pro.github.io

106 lines (91 loc) 3.33 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/* ========================================================================== src/hooks.server.js Copyright © 2025 Network Pro Strategies (Network Pro™) SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later This file is part of Network Pro. ========================================================================== */ /** * SvelteKit server hook to set Content Security Policy (CSP) header. * @type {import('@sveltejs/kit').Handle} */ export async function handle({ event, resolve }) { // Create the response const response = await resolve(event); // Determine environment flags // Default to development policy if neither test nor prod const isTestEnvironment = process.env.NODE_ENV === 'test' || process.env.ENV_MODE === 'ci'; const isProdEnvironment = process.env.NODE_ENV === 'production' || process.env.ENV_MODE === 'prod'; console.log('[CSP Debug] NODE_ENV:', process.env.NODE_ENV); console.log('[CSP Debug] ENV_MODE:', process.env.ENV_MODE); // Determine report URI const reportUri = isProdEnvironment ? '/api/csp-report' : '/api/mock-csp'; // Construct base policy const cspDirectives = [ "default-src 'self';", "script-src 'self' 'unsafe-inline' https://us.i.posthog.com https://us-assets.i.posthog.com;", "style-src 'self' 'unsafe-inline';", "img-src 'self' data:;", "connect-src 'self' https://us.i.posthog.com https://us-assets.i.posthog.com;", "font-src 'self' data:;", "form-action 'self';", "base-uri 'self';", "object-src 'none';", "frame-ancestors 'none';", 'upgrade-insecure-requests;', `report-uri ${reportUri};`, ]; // Loosen up CSP for test environments if (isTestEnvironment) { cspDirectives[1] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' ws://localhost:*;"; cspDirectives[2] = "script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' ws://localhost:*;"; cspDirectives[3] = "style-src 'self' 'unsafe-inline';"; cspDirectives[4] = "img-src 'self' data:;"; cspDirectives[5] = "connect-src 'self';"; } response.headers.set('Content-Security-Policy', cspDirectives.join(' ')); // Set other security headers response.headers.set( 'Permissions-Policy', [ 'fullscreen=(self)', 'sync-xhr=()', 'camera=()', 'microphone=()', 'geolocation=()', 'clipboard-read=()', 'clipboard-write=(self)', 'payment=()', 'usb=()', 'hid=()', 'gamepad=()', 'serial=()', 'publickey-credentials-get=()', 'browsing-topics=()', ].join(', '), ); response.headers.set('X-Content-Type-Options', 'nosniff'); response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); response.headers.set('X-Frame-Options', 'DENY'); if (process.env.ENV_MODE !== 'test' && process.env.ENV_MODE !== 'ci') { response.headers.set( 'Strict-Transport-Security', 'max-age=31536000; includeSubDomains;', // No preload here ); } return response; } /** * SvelteKit server-side error handler to log SSR errors. * @type {import('@sveltejs/kit').HandleServerError} */ export function handleError({ error, event }) { console.error('🔴 SSR Error in route:', event.url.pathname); console.error(error); return { message: 'A server-side error occurred', }; }