Merge pull request #6 from vasylenko/patch-1

dbrown-git · web-flow · commit 023b2aa6c405 · 2021-08-27T10:28:24.000-07:00
Security headers updated recommended by Mozilla Observatory
diff --git a/add-security-headers/index.js b/add-security-headers/index.js
@@ -5,11 +5,12 @@ function handler(event) {
     // Set HTTP security headers
     // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation 
     headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; 
-    headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}; 
+    headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"}; 
     headers['x-content-type-options'] = { value: 'nosniff'}; 
     headers['x-frame-options'] = {value: 'DENY'}; 
-    headers['x-xss-protection'] = {value: '1; mode=block'}; 
+    headers['x-xss-protection'] = {value: '1; mode=block'};
+    headers['referrer-policy'] = {value: 'same-origin'};
     
     // Return the response to viewers 
     return response;
-}
+}
