aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJulien Dessaux2021-10-30 15:30:32 +0200
committerJulien Dessaux2021-10-30 17:52:08 +0200
commit5d5ce99011ac20c355ecc74f0a0e302e93985d10 (patch)
tree52385872d3de670a5bfa92f93a2d0c1d276f5115 /src
parentChanged for a better way to generate uuids (diff)
downloadshort-5d5ce99011ac20c355ecc74f0a0e302e93985d10.tar.gz
short-5d5ce99011ac20c355ecc74f0a0e302e93985d10.tar.bz2
short-5d5ce99011ac20c355ecc74f0a0e302e93985d10.zip
Added caching and security headers
Diffstat (limited to 'src')
-rw-r--r--src/short.nim23
1 files changed, 19 insertions, 4 deletions
diff --git a/src/short.nim b/src/short.nim
index 5005e16..392cf34 100644
--- a/src/short.nim
+++ b/src/short.nim
@@ -1,5 +1,5 @@
import os, strutils
-import std/[hashes, re, times, uri]
+import std/[hashes, re, sequtils, times, uri]
import tiny_sqlite
import jester
@@ -13,6 +13,21 @@ const cssRoute = "/static/all.css." & $hash(allCss)
const favicon = staticRead("../static/favicon.ico")
const faviconSvg = staticRead("../static/favicon.svg")
+const secureHeaders = @[
+ ("X-Frame-Options", "deny"),
+ ("X-XSS-Protection", "1; mode=block"),
+ ("X-Content-Type-Options", "nosniff"),
+ ("Referrer-Policy", "strict-origin"),
+ ("Cache-Control", "no-transform"),
+ ("Content-Security-Policy", "script-src 'self'"),
+ ("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"),
+ ("Strict-Transport-Security", "max-age=16000000;"),
+]
+const cachingHeaders = concat(secureHeaders, @[("Cache-Control", "public, max-age=31536000, immutable" )])
+const cssHeaders = concat(cachingHeaders, @[("content-type", "text/css")])
+const icoHeaders = concat(cachingHeaders, @[("content-type", "image/x-icon")])
+const svgHeaders = concat(cachingHeaders, @[("content-type", "image/svg+xml")])
+
var db {.threadvar.}: DbConn
proc initDB() {.raises: [SqliteError].} =
@@ -111,11 +126,11 @@ routes:
else:
redirect("/" & content)
get "/static/favicon.ico":
- resp Http200, {"content-type": "image/x-icon"}, favicon
+ resp Http200, icoHeaders, favicon
get "/static/favicon.svg":
- resp Http200, {"content-type": "image/svg+xml"}, faviconSvg
+ resp Http200, svgHeaders, faviconSvg
get re"^/static/all\.css\.":
- resp Http200, {"content-type": "text/css"}, allcss
+ resp Http200, cssHeaders, allcss
get "/@token":
initDB()
var (code, content) = handleToken(@"token")