UNPKG

astro

Version:

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

astro.build

withastro/astro

22 lines (21 loc) 1.18 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import type { RemotePattern } from '@astrojs/internal-helpers/remote'; import type * as vite from 'vite'; import type { AstroLogger } from '../core/logger/core.js'; /** * Middleware that validates Sec-Fetch metadata headers on incoming requests * to block cross-origin subresource requests (e.g. `<script>` tags from * another origin loading dev server modules). * * Navigation requests (`Sec-Fetch-Mode: navigate`) are always allowed through * because browsers enforce their own security model for top-level navigations. * * Requests without `Sec-Fetch-Site` (e.g. from non-browser clients like curl, * or older browsers that don't send Fetch Metadata) are also allowed through * to avoid breaking legitimate development workflows. * * When `security.allowedDomains` is configured, requests whose `Origin` header * matches one of the allowed patterns are also permitted. This supports proxied * dev server setups (e.g. ngrok, Cloudflare Tunnel) where the browser sees a * different origin than the dev server itself. */ export declare function secFetchMiddleware(logger: AstroLogger, allowedDomains?: Partial<RemotePattern>[]): vite.Connect.NextHandleFunction;