diff options
author | Julien Dessaux | 2021-10-30 15:30:32 +0200 |
---|---|---|
committer | Julien Dessaux | 2021-10-30 17:52:08 +0200 |
commit | 5d5ce99011ac20c355ecc74f0a0e302e93985d10 (patch) | |
tree | 52385872d3de670a5bfa92f93a2d0c1d276f5115 /src | |
parent | Changed for a better way to generate uuids (diff) | |
download | short-5d5ce99011ac20c355ecc74f0a0e302e93985d10.tar.gz short-5d5ce99011ac20c355ecc74f0a0e302e93985d10.tar.bz2 short-5d5ce99011ac20c355ecc74f0a0e302e93985d10.zip |
Added caching and security headers
Diffstat (limited to 'src')
-rw-r--r-- | src/short.nim | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/src/short.nim b/src/short.nim index 5005e16..392cf34 100644 --- a/src/short.nim +++ b/src/short.nim @@ -1,5 +1,5 @@ import os, strutils -import std/[hashes, re, times, uri] +import std/[hashes, re, sequtils, times, uri] import tiny_sqlite import jester @@ -13,6 +13,21 @@ const cssRoute = "/static/all.css." & $hash(allCss) const favicon = staticRead("../static/favicon.ico") const faviconSvg = staticRead("../static/favicon.svg") +const secureHeaders = @[ + ("X-Frame-Options", "deny"), + ("X-XSS-Protection", "1; mode=block"), + ("X-Content-Type-Options", "nosniff"), + ("Referrer-Policy", "strict-origin"), + ("Cache-Control", "no-transform"), + ("Content-Security-Policy", "script-src 'self'"), + ("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"), + ("Strict-Transport-Security", "max-age=16000000;"), +] +const cachingHeaders = concat(secureHeaders, @[("Cache-Control", "public, max-age=31536000, immutable" )]) +const cssHeaders = concat(cachingHeaders, @[("content-type", "text/css")]) +const icoHeaders = concat(cachingHeaders, @[("content-type", "image/x-icon")]) +const svgHeaders = concat(cachingHeaders, @[("content-type", "image/svg+xml")]) + var db {.threadvar.}: DbConn proc initDB() {.raises: [SqliteError].} = @@ -111,11 +126,11 @@ routes: else: redirect("/" & content) get "/static/favicon.ico": - resp Http200, {"content-type": "image/x-icon"}, favicon + resp Http200, icoHeaders, favicon get "/static/favicon.svg": - resp Http200, {"content-type": "image/svg+xml"}, faviconSvg + resp Http200, svgHeaders, faviconSvg get re"^/static/all\.css\.": - resp Http200, {"content-type": "text/css"}, allcss + resp Http200, cssHeaders, allcss get "/@token": initDB() var (code, content) = handleToken(@"token") |