From 0cade255e95f4035a68840b59254e3876c5e45eb Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Fri, 8 Mar 2024 19:49:19 +0000
Subject: [PATCH] Security headers

---
 packages/website/src/hooks.server.ts | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 packages/website/src/hooks.server.ts

diff --git a/packages/website/src/hooks.server.ts b/packages/website/src/hooks.server.ts
new file mode 100644
index 00000000..102a2d34
--- /dev/null
+++ b/packages/website/src/hooks.server.ts
@@ -0,0 +1,26 @@
+import type { Handle } from "@sveltejs/kit";
+
+const securityHeaders = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-XSS-Protection': '0',
+
+    "Referrer-Policy": "no-referrer-when-downgrade",
+
+    "Permissions-Policy": "payment=(), geolocation=(self), notifications=(self), push=(self), fullscreen=(self)",
+
+    'Cross-Origin-Embedder-Policy': 'require-corp',
+    'Cross-Origin-Opener-Policy': 'same-origin',
+    'Cross-Origin-Resource-Policy': 'same-origin',
+
+}
+
+export const handle: Handle = async ({ event, resolve }) => {
+    const response = await resolve(event);
+    Object.entries(securityHeaders).forEach(
+        ([header, value]) => response.headers.set(header, value)
+    );
+
+    response.headers.delete("x-sveltekit-page")
+
+    return response;
+}