Instantly secure your website with Security Headers and Edgio

This is demo that shows how to secure your website against some common attacks like XSS, code injection, clickjacking, etc. with Edgio

const { Router } = require('@edgio/core/router')

const ContentSecurityPolicy = `
  default-src 'self';
  script-src 'self' 'unsafe-eval' 'unsafe-inline' *;
  style-src 'self' 'unsafe-inline' *;
  img-src * blob: data:;
  media-src 'none';
  connect-src *;
  font-src 'self' *;

export default new Router()
  .match('/:route', ({ setResponseHeader }) => {
    setResponseHeader('Content-Security-Policy', ContentSecurityPolicy.replace(/\n/g, ""))
    setResponseHeader("X-Content-Type-Options", 'nosniff')
    setResponseHeader('X-Frame-Options', 'DENY')
    setResponseHeader('Cross-Origin-Resource-Policy', 'same-origin')
    setResponseHeader('Cross-Origin-Embedder-Policy', 'require-corp')
    setResponseHeader('Cross-Origin-Opener-Policy', 'same-origin-allow-popups')
    setResponseHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
    setResponseHeader('Referrer-Policy', 'origin-when-cross-origin')
    setResponseHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')

Importance of Security & Headers

As per HTTP security headers analysis of top one million websites, "Globally, including both HTTP and HTTPS sites, CSP is implemented in 1.6% and CSP report only version in just 0.2% of sites."

Shocking! right? and the lack of CSP HTTP Header takes down the defense mechanisms against Cross-Site Scripting (XSS) and other client-side injection attacks which once took down MySpace.

Author: Rishi Raj Jain