365DevNet/365devnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Cross-Origin Resource Policy headers for enhanced security

Browse Source 
- Introduced Cross-Origin-Resource-Policy header in server.js, nginx.conf, and _headers to restrict resource sharing to same-site origins, improving security against cross-origin attacks.
- Ensured consistent application of Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy across server and nginx configurations for better resource management.
This commit is contained in:
Richard Bergsma
2025-11-18 22:56:56 +01:00
parent 6fa07b4b63
commit 8e7ee9dba4
4 changed files with 121 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
server.js
View File

@@ -21,6 +21,7 @@ app.use((req, res, next) => {
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
res.setHeader('Cross-Origin-Embedder-Policy', 'credentialless');
res.setHeader('Cross-Origin-Resource-Policy', 'same-site');
// Gate SSR CSP to avoid breaking inline scripts unless explicitly enabled
if (process.env.ENABLE_SSR_CSP === '1') {
res.setHeader(