Jennie Robinson Faber
ba92075366
The OIDC provider was falling back to config.public.appUrl for its issuer, which could resolve to an http:// URL. This caused the logout form action to use http://, violating the CSP form-action directive. Hardcode the issuer fallback to https://ghostguild.org.
30 lines
1.2 KiB
JavaScript
30 lines
1.2 KiB
JavaScript
export default defineEventHandler((event) => {
|
|
const headers = {
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Frame-Options': 'DENY',
|
|
'X-XSS-Protection': '0',
|
|
'Referrer-Policy': 'strict-origin-when-cross-origin',
|
|
'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
|
|
}
|
|
|
|
if (process.env.NODE_ENV === 'production') {
|
|
headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
|
|
|
|
// CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
|
|
headers['Content-Security-Policy'] = [
|
|
"default-src 'self'",
|
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
|
|
"style-src 'self' 'unsafe-inline'",
|
|
"img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
|
|
"font-src 'self'",
|
|
"connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
|
|
"frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
].join('; ')
|
|
}
|
|
|
|
for (const [key, value] of Object.entries(headers)) {
|
|
setHeader(event, key, value)
|
|
}
|
|
})
|