aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--short.nimble2
-rw-r--r--src/short.nim23
2 files changed, 20 insertions, 5 deletions
diff --git a/short.nimble b/short.nimble
index 7aba695..d2ffc84 100644
--- a/short.nimble
+++ b/short.nimble
@@ -1,6 +1,6 @@
# Package
-version = "0.1.0"
+version = "0.2.0"
author = "Julien Dessaux"
description = "A simple, privacy friendly URL shortener"
license = "EUPL-1.2"
diff --git a/src/short.nim b/src/short.nim
index 5005e16..392cf34 100644
--- a/src/short.nim
+++ b/src/short.nim
@@ -1,5 +1,5 @@
import os, strutils
-import std/[hashes, re, times, uri]
+import std/[hashes, re, sequtils, times, uri]
import tiny_sqlite
import jester
@@ -13,6 +13,21 @@ const cssRoute = "/static/all.css." & $hash(allCss)
const favicon = staticRead("../static/favicon.ico")
const faviconSvg = staticRead("../static/favicon.svg")
+const secureHeaders = @[
+ ("X-Frame-Options", "deny"),
+ ("X-XSS-Protection", "1; mode=block"),
+ ("X-Content-Type-Options", "nosniff"),
+ ("Referrer-Policy", "strict-origin"),
+ ("Cache-Control", "no-transform"),
+ ("Content-Security-Policy", "script-src 'self'"),
+ ("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"),
+ ("Strict-Transport-Security", "max-age=16000000;"),
+]
+const cachingHeaders = concat(secureHeaders, @[("Cache-Control", "public, max-age=31536000, immutable" )])
+const cssHeaders = concat(cachingHeaders, @[("content-type", "text/css")])
+const icoHeaders = concat(cachingHeaders, @[("content-type", "image/x-icon")])
+const svgHeaders = concat(cachingHeaders, @[("content-type", "image/svg+xml")])
+
var db {.threadvar.}: DbConn
proc initDB() {.raises: [SqliteError].} =
@@ -111,11 +126,11 @@ routes:
else:
redirect("/" & content)
get "/static/favicon.ico":
- resp Http200, {"content-type": "image/x-icon"}, favicon
+ resp Http200, icoHeaders, favicon
get "/static/favicon.svg":
- resp Http200, {"content-type": "image/svg+xml"}, faviconSvg
+ resp Http200, svgHeaders, faviconSvg
get re"^/static/all\.css\.":
- resp Http200, {"content-type": "text/css"}, allcss
+ resp Http200, cssHeaders, allcss
get "/@token":
initDB()
var (code, content) = handleToken(@"token")