From b9b4ba1cc903be7e4f4e5d36582906145d8b4228 Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 4 Dec 2025 13:20:40 -0600 Subject: [PATCH] Website: Update response headers (#36543) Closes: https://github.com/fleetdm/confidential/issues/11257 Changes: - Updated the website's custom hook to set security-related response headers for GET and HEAD requests --- website/api/hooks/custom/index.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/website/api/hooks/custom/index.js b/website/api/hooks/custom/index.js index aee7bed3df..99cdafe867 100644 --- a/website/api/hooks/custom/index.js +++ b/website/api/hooks/custom/index.js @@ -178,6 +178,13 @@ will be disabled and/or hidden in the UI. throw new Error('Cannot attach view local `me`, because this view local already exists! (Is it being attached somewhere else?)'); } res.locals.me = undefined; + + // Set security headers for all GET and HEAD requests. + res.setHeader(`X-Content-Type-Options`, `nosniff`);//[?]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options + res.setHeader('X-Frame-Options', 'SAMEORIGIN');// [?]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options + res.setHeader(`Referrer-Policy`, `strict-origin-when-cross-origin`);// [?]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy + res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains;');// [?]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security + res.setHeader(`Permissions-Policy`, `camera=(), microphone=(), usb=()`);// [?]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy }//fi // Check for query parameters set by ad clicks.