add security headers

glific · Sep 21, 2023 · 343dac0 · 343dac0
1 parent b42584e
commit 343dac0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/index.html b/index.html
@@ -1,16 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html lang="en">
   <head>
     <meta charset="utf-8" />
     <link rel="icon" href="/Glific-Favicon.svg" />
-    <link
-      href="https://fonts.googleapis.com/css2?family=Heebo:wght@500&display=swap"
-      rel="stylesheet"
-    />
-    <link
-      href="https://fonts.googleapis.com/css2?family=Tenor+Sans&display=swap"
-      rel="stylesheet"
-    />
     <meta name="viewport" content="minimum-scale=1, initial-scale=1, width=device-width" />
     <meta name="theme-color" content="#000000" />
     <meta name="description" content="Glific: Two way communication platform" />

diff --git a/vite.config.ts b/vite.config.ts
@@ -59,6 +59,14 @@ export default ({ command, mode }: ConfigEnv): UserConfigExport => {
           key: fs.readFileSync('../glific/priv/cert/glific.test+1-key.pem'),
           cert: fs.readFileSync('../glific/priv/cert/glific.test+1.pem'),
         },
+        headers: {
+          'X-Content-Type-Options': 'nosniff',
+          'X-XSS-Protection': '1; mode=block',
+          'X-Frame-Options': 'deny',
+          'Content-Security-Policy':
+            "default-src 'self'; script-src * 'unsafe-inline' blob:; style-src * 'unsafe-inline'; font-src * data:; connect-src *;",
+          'Strict-Transport-Security': 'max-age=63072000; includeSubdomains; preload',
+        },
       },
       resolve: { alias: { util: 'util/', stream: 'stream-browserify' } }, // stream polyfill is needed by logflare
     });