Fastly: Include security headers for dl

Add Security headers to the VCL service. Ref: - https://web.dev/secure/ - https://infosec.mozilla.org/guidelines/web_security Signed-off-by: Arnaud Meukam <[email protected]>
kubernetes · Nov 15, 2024 · 17c3fe5 · 17c3fe5
1 parent 303f93c
commit 17c3fe5
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
@@ -109,6 +109,17 @@ sub vcl_hit {
 
 sub vcl_deliver {
 
+  set resp.http.Content-Security-Policy = "default-src 'self'";
+  set resp.http.X-Frame-Options = "SAMEORIGIN";
+  set resp.http.X-XSS-Protection = "1";
+  set resp.http.X-Content-Type-Options = "nosniff";
+  set resp.http.Referrer-Policy = "origin-when-cross-origin";
+
+  if (req.protocol == "https") {
+    # Only connect to this site and subdomains via HTTPS for the next two years
+    set resp.http.Strict-Transport-Security = "max-age=63072000; includeSubDomains";
+  }
+
   if (resp.http.cache-control:max-age) {
     unset resp.http.expires;
   }