From 5d5ce99011ac20c355ecc74f0a0e302e93985d10 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Sat, 30 Oct 2021 15:30:32 +0200
Subject: Added caching and security headers

---
 short.nimble  |  2 +-
 src/short.nim | 23 +++++++++++++++++++----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/short.nimble b/short.nimble
index 7aba695..d2ffc84 100644
--- a/short.nimble
+++ b/short.nimble
@@ -1,6 +1,6 @@
 # Package
 
-version       = "0.1.0"
+version       = "0.2.0"
 author        = "Julien Dessaux"
 description   = "A simple, privacy friendly URL shortener"
 license       = "EUPL-1.2"
diff --git a/src/short.nim b/src/short.nim
index 5005e16..392cf34 100644
--- a/src/short.nim
+++ b/src/short.nim
@@ -1,5 +1,5 @@
 import os, strutils
-import std/[hashes, re, times, uri]
+import std/[hashes, re, sequtils, times, uri]
 
 import tiny_sqlite
 import jester
@@ -13,6 +13,21 @@ const cssRoute = "/static/all.css." & $hash(allCss)
 const favicon = staticRead("../static/favicon.ico")
 const faviconSvg = staticRead("../static/favicon.svg")
 
+const secureHeaders = @[
+  ("X-Frame-Options", "deny"),
+  ("X-XSS-Protection", "1; mode=block"),
+  ("X-Content-Type-Options", "nosniff"),
+  ("Referrer-Policy", "strict-origin"),
+  ("Cache-Control", "no-transform"),
+  ("Content-Security-Policy", "script-src 'self'"),
+  ("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"),
+  ("Strict-Transport-Security", "max-age=16000000;"),
+]
+const cachingHeaders = concat(secureHeaders, @[("Cache-Control", "public, max-age=31536000, immutable" )])
+const cssHeaders = concat(cachingHeaders, @[("content-type", "text/css")])
+const icoHeaders = concat(cachingHeaders, @[("content-type", "image/x-icon")])
+const svgHeaders = concat(cachingHeaders, @[("content-type", "image/svg+xml")])
+
 var db {.threadvar.}: DbConn
 
 proc initDB() {.raises: [SqliteError].} =
@@ -111,11 +126,11 @@ routes:
     else:
       redirect("/" & content)
   get "/static/favicon.ico":
-    resp Http200, {"content-type": "image/x-icon"}, favicon
+    resp Http200, icoHeaders, favicon
   get "/static/favicon.svg":
-    resp Http200, {"content-type": "image/svg+xml"}, faviconSvg
+    resp Http200, svgHeaders, faviconSvg
   get re"^/static/all\.css\.":
-    resp Http200, {"content-type": "text/css"}, allcss
+    resp Http200, cssHeaders, allcss
   get "/@token":
     initDB()
     var (code, content) = handleToken(@"token")
-- 
cgit v1.2.3