Security headers

packages/website/src/hooks.server.ts

@@ -0,0 +1,26 @@
+import type { Handle } from "@sveltejs/kit";
+
+const securityHeaders = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-XSS-Protection': '0',
+
+    "Referrer-Policy": "no-referrer-when-downgrade",
+
+    "Permissions-Policy": "payment=(), geolocation=(self), notifications=(self), push=(self), fullscreen=(self)",
+
+    'Cross-Origin-Embedder-Policy': 'require-corp',
+    'Cross-Origin-Opener-Policy': 'same-origin',
+    'Cross-Origin-Resource-Policy': 'same-origin',
+
+}
+
+export const handle: Handle = async ({ event, resolve }) => {
+    const response = await resolve(event);
+    Object.entries(securityHeaders).forEach(
+        ([header, value]) => response.headers.set(header, value)
+    );
+
+    response.headers.delete("x-sveltekit-page")
+
+    return response;
+}