Tips for quality website design

Informal
194

I was bothered by the result under the security section (score)
on sites like these https://www.webpagetest.org/ & https://securityheaders.com/

s0 s1

however with Cloudflare workers it is very easy to solve this problem

The example below is for those who know what they are doing and how to customize the code to fit their website - I am not responsible !



Cloudflare offers a free plan which contains

0
0369×827 51 KB
01



  1. go to CF and select the workers section from the top menu

a
a1053×483 63.8 KB



  1. Create a worker

b
b699×109 9.18 KB



  1. name it here

c



4.1 copy/paste this code (modify if necessary)

addEventListener('fetch', event => {
    event.respondWith(handleRequest(event.request));
  })

async function handleRequest(request) {
    const response = await fetch(request);
    return getSecuredResponse(response);
}

const securityHeaderMap = {
    "Strict-Transport-Security" : "max-age=2592000; includeSubDomains; preload",
    "Content-Security-Policy" : "upgrade-insecure-requests",
    "Feature-Policy" : "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",
    "Referrer-Policy" : "strict-origin-when-cross-origin",
    "X-Content-Type-Options" : "nosniff",
    "X-Frame-Options" : "SAMEORIGIN",
    "X-Xss-Protection" : "1; mode=block"
};

const headerDeletionList = [
    "X-Powered-By"
];

async function getSecuredResponse(response) {
    let responseHeaders = new Headers(response.headers);

    // Return immediately if response is not 'text/html'
    if(isResponseContentTypeNotHtml(responseHeaders)) {
        return response;
    }

    // Add security headers to response.
    Object.entries(securityHeaderMap).map(([name, value]) => responseHeaders.set(name, value));

    // Delete headers from response.
    headerDeletionList.forEach(name => responseHeaders.delete(name));

    // Return response with modified headers.
    return new Response(response.body , {
        status: response.status,
        statusText: response.statusText,
        headers: responseHeaders
    });
}

function isResponseContentTypeNotHtml(headers) {
    const contentType = headers.get('content-type');
    return !contentType || !contentType.includes("text/html");
}



4.2 save

3
3601×627 77.8 KB



  1. now it is necessary to tell the worker when it will be activated (add route)
    select the workers tab again from the top menu
    4
    41031×585 69.5 KB



6.1 domain or all subdomains, etc… - consult here (click me)
6.2 the name of our worker
6.3 I chose not to throw out the error

5
5443×615 42.5 KB



  1. validate (click me)

6
61187×515 68.8 KB

7
7993×179 43.5 KB




8. if it doesn’t work properly - edit the trigger or worker code

8
81059×429 42.8 KB



Good luck !




useful link OWASP Secure Headers Project | OWASP Foundation

7 Likes