UNPKG

@networkpro/web

Version:

Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies

netwk.pro

netwk-pro/netwk-pro.github.io

105 lines (89 loc) 3.13 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/* ========================================================================== src/hooks.server.js Copyright © 2025-2026 Network Pro Strategies (Network Pro™) SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later This file is part of Network Pro. ========================================================================== */ import { isProbelyScanner } from '$lib/security/probely.js'; import { detectEnvironment } from '$lib/utils/env.js'; const cspReportUri = 'https://csp.netwk.pro/.netlify/functions/csp-report'; /** * SvelteKit server hook to set request-time security headers. * CSP is configured in svelte.config.js so SvelteKit can manage nonces/hashes. * @type {import('@sveltejs/kit').Handle} */ export async function handle({ event, resolve }) { // Probely scanner detection is diagnostic only. Audit mode may use this log // to confirm scanner traffic without changing the request handling path. /** @type {string} */ const userAgent = event.request.headers.get('user-agent') || ''; /** @type {string} */ const remoteIp = event.request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || ''; const isProbely = isProbelyScanner({ ua: userAgent, ip: remoteIp }); const response = await resolve(event); const env = detectEnvironment(event.url.hostname); const { isAudit, isProd, isTest, mode } = env; if (isAudit && isProbely) { console.info('[Audit Mode] Probely scanner detected:', { ip: remoteIp, ua: userAgent, }); } if (event.url.hostname.endsWith('audit.netwk.pro') && mode !== 'audit') { console.warn( `[CSP] Audit hostname requested with PUBLIC_ENV_MODE=${mode}; ` + 'SvelteKit CSP is selected at build time from PUBLIC_ENV_MODE.', ); } if (isProd && !isTest && !isAudit) { response.headers.set( 'Report-To', JSON.stringify({ group: 'csp-endpoint', max_age: 10886400, // 18 weeks endpoints: [{ url: cspReportUri }], include_subdomains: true, }), ); } // Standard security headers response.headers.set( 'Permissions-Policy', [ 'fullscreen=(self)', 'sync-xhr=()', 'camera=()', 'microphone=()', 'geolocation=()', 'clipboard-read=()', 'clipboard-write=(self)', 'payment=()', 'usb=()', 'hid=()', 'gamepad=()', 'serial=()', 'publickey-credentials-get=()', 'browsing-topics=()', ].join(', '), ); response.headers.set('X-Content-Type-Options', 'nosniff'); response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); response.headers.set('X-Frame-Options', 'DENY'); if (!isTest) { response.headers.set( 'Strict-Transport-Security', 'max-age=31536000; includeSubDomains', ); } return response; } /** * SvelteKit server-side error handler to log SSR errors. * @type {import('@sveltejs/kit').HandleServerError} */ export function handleError({ error, event }) { console.error('🔴 SSR Error in route:', event.url.pathname); console.error(error); return { message: 'A server-side error occurred' }; }