Skip to content

kevinobee/sveltekit-security-headers

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SvelteKit Security Headers

Enhance visitor security in SvelteKit apps. Add those missing HTTP response headers.

Node.js CI Lint Playwright Tests

Install

npm install @faranglao/sveltekit-security-headers

Usage

// src/hooks.server.ts
import { SvelteKitSecurityHeaders } from '@faranglao/sveltekit-security-headers';

export const handle = SvelteKitSecurityHeaders().handle;

To add HTTP response headers to your application install the package and export the handle function from SvelteKitSecurityHeaders. The handle function is a SvelteKit Server Hook exported in src/hooks.server.ts.

Default Response Headers

The SvelteKitSecurityHeaders server hook adds the following response headers to routed HTTP requests:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Customizing Response Headers

The code below shows how to apply both pre-configured headers and add customer values to your HTTP responses.

// samples/custom/hooks.server.ts
// copy to src/hooks.server.ts
import { SvelteKitSecurityHeaders, RuleSet } from '@faranglao/sveltekit-security-headers';

export const handle = SvelteKitSecurityHeaders({
  headers: [
    ...RuleSet.SvelteKitSpecific,
    ...RuleSet.OwaspRecommendedMinimal,

    // Access-Control-Allow-Origin header to allow requests
    // from your domain .. override value
    {
      name: 'Access-Control-Allow-Origin',
      value: 'https://sveltekit-security-headers.vercel.app'
    }

    // .. add custom headers
  ],
  verbose: true
}).handle;

Multiple Server Hooks

The sequence helper function is used to call multiple server hook functions as shown below.

// samples/sequence/hooks.server.ts
// copy to src/hooks.server.ts
import type { Handle } from '@sveltejs/kit';
import { sequence } from '@sveltejs/kit/hooks';
import { SvelteKitSecurityHeaders } from '@faranglao/sveltekit-security-headers';

export const handle: Handle = sequence(
  /* existing Hook code , */
  SvelteKitSecurityHeaders().handle
);

Test Security Headers

Having already delivered over 250 million scans the Security Headers site is a useful tool for analyzing HTTP headers.

The scan returns a score from an A+ grade down to an F grade. You can find more information on scoring on Scott Helme's Security Headers blog.

The SvelteKitSecurityHeaders server hook adds the HTTP response headers required to achieve an A grade score on securityheaders.com

Source Code

Source code for the package is maintained on GitHub.

The package is published on NPM.