§9 response security headers (todo §9); the cookies/CSRF/clock-skew parts of this item all landed in §4 (HttpOnly/SameSite/Secure cookies in cookie.ts, the signed double-submit in csrf.ts, JWT_CLOCK_SKEW_SEC leeway on exp+nbf in jwt-middleware) — the open gap was response security headers, now closed. New pure src/security-headers.ts (securityHeaders({secure})): a strict CSP for the zero-JS core — script-src 'self' with NO 'unsafe-inline' (an injected <script> can't run; core ships none, a plugin may still serve its own /public/<id>/*.js), style-src adds 'unsafe-inline' for the partials' inline style=, img-src 'self' data:, frame-ancestors 'none', object-src 'none'; form-action deliberately omitted (the themed login POSTs to Kratos' often-cross-origin action URL) — plus X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Cross-Origin-Opener-Policy same-origin, and HSTS only when secureCookies (https; ignored on dev http). Wired in app.ts: precomputed once at boot, res.setHeader'd at the very top of the handler before any branch, so every response (page/json/redirect/static/error/plugin) inherits them via writeHead's merge; a plugin overrides per-route via RouteResult.headers. Verified no view/CSS loads cross-origin (no <script> anywhere, no external fonts/CDNs), so default-src 'self' breaks nothing. Tests-first: security-headers.test.ts (strict defaults, script-src has no 'unsafe-inline', HSTS-only-on-secure) + an app.test.ts integration (the page and a static asset both carry the headers; HSTS toggles with SECURE_COOKIES). Stability-reviewer on the diff: APPROVE, no Critical/High (Low: a CDN/absolute branding logo would be CSP-blocked → documented the same-origin-logo constraint). README Status + Production + Layout updated. typecheck + 312 units green.

2026-06-20 01:18:24 +02:00
parent b3b51db52b
commit 9d22c75016
6 changed files with 104 additions and 4 deletions
--- a/src/app.test.ts
+++ b/src/app.test.ts
@@ -82,6 +82,25 @@ test("static serving: GET sends body + content-type, HEAD headers only, unsafe p
  assert.equal((await fetch(base + "/public/%00")).status, 403);
 });

+test("every response carries the security headers; HSTS follows SECURE_COOKIES (§9)", async (t) => {
+  // Default app (secureCookies off): a page and a static asset both carry the hardening headers,
+  // proving they're set once up front and survive each writeHead (the html + static paths merge).
+  for (const path of ["/", "/public/css/styles.css"]) {
+    const res = await fetch(base + path);
+    assert.equal(res.headers.get("x-content-type-options"), "nosniff", path);
+    assert.equal(res.headers.get("x-frame-options"), "DENY", path);
+    assert.match(res.headers.get("content-security-policy") ?? "", /default-src 'self'/, path);
+    assert.equal(res.headers.get("strict-transport-security"), null, path); // http dev → no HSTS
+  }
+
+  // A https deployment (SECURE_COOKIES=true) adds HSTS.
+  const secure = createApp({ secureCookies: true });
+  await new Promise<void>((r) => secure.listen(0, r));
+  t.after(() => secure.close());
+  const res = await fetch(`http://localhost:${(secure.address() as AddressInfo).port}/`);
+  assert.match(res.headers.get("strict-transport-security") ?? "", /max-age=\d+/);
+});
+
 // Production caches compiled templates; rendering must stay correct across repeated requests.
 test("renders correctly with template caching enabled", async () => {
  const app = createApp({ cache: true });
--- a/src/app.ts
+++ b/src/app.ts
@@ -29,6 +29,7 @@ import { acceptConsent, rejectConsent, resolveConsentChallenge } from "./oauth-c
 import { DEFAULT_MENU, type MenuConfig } from "./menu-config.ts";
 import type { Plugin, RouteResult } from "./plugin.ts";
 import { allowedMethods, isAuthorized, matchRoute } from "./router.ts";
+import { securityHeaders } from "./security-headers.ts";
 import { routePublic, serveStatic } from "./static.ts";
 import { renderPluginView } from "./view-resolver.ts";

@@ -72,6 +73,8 @@ export function createApp(options: AppOptions = {}): Server {
  const pluginsDir = options.pluginsDir ?? PLUGINS_DIR;
  const publicDir = options.publicDir ?? join(rootDir, "public");
  const viewsDir = options.viewsDir ?? join(rootDir, "views");
+  // Response security headers, fixed at boot (only HSTS depends on the https deployment signal).
+  const secHeaderEntries = Object.entries(securityHeaders({ secure: secureCookies }));

  // `views: [viewsDir]` lets a view in a subfolder (e.g. admin/users.ejs) include() the shared
  // partials/ by the same root-relative name top-level views use (EJS tries relative first).
@@ -101,6 +104,10 @@ export function createApp(options: AppOptions = {}): Server {
      const method = req.method ?? "GET";
      const pathname = new URL(req.url ?? "/", "http://localhost").pathname;

+      // Set before any branch so every response — static/redirect/error included — inherits them
+      // (writeHead merges these with its own headers; a plugin's RouteResult.headers can override).
+      for (const [name, value] of secHeaderEntries) res.setHeader(name, value);
+
      if (pathname.startsWith("/public/") && (method === "GET" || method === "HEAD")) {
        // /public/<id>/… serves a plugin's public/; everything else the core public/.
        // Before auth: assets don't need a verified user, and the JWT cookie rides every request.
--- a/src/security-headers.test.ts
+++ b/src/security-headers.test.ts
@@ -0,0 +1,26 @@
+import assert from "node:assert/strict";
+import { test } from "node:test";
+import { securityHeaders } from "./security-headers.ts";
+
+test("securityHeaders: strict zero-JS defaults; HSTS only over https", () => {
+  const h = securityHeaders();
+  // Always-on hardening, independent of scheme.
+  assert.equal(h["x-content-type-options"], "nosniff");
+  assert.equal(h["x-frame-options"], "DENY");
+  assert.equal(h["referrer-policy"], "strict-origin-when-cross-origin");
+  assert.equal(h["cross-origin-opener-policy"], "same-origin");
+
+  const csp = h["content-security-policy"] ?? "";
+  assert.match(csp, /default-src 'self'/);
+  assert.match(csp, /script-src 'self'/); // a plugin may ship its own JS; the core ships none
+  assert.doesNotMatch(csp, /script-src[^;]*'unsafe-inline'/); // an injected <script> can't run
+  assert.match(csp, /style-src 'self' 'unsafe-inline'/); // a few partials use inline style= attrs
+  assert.match(csp, /frame-ancestors 'none'/); // clickjacking guard (modern X-Frame-Options)
+  assert.match(csp, /object-src 'none'/);
+  assert.doesNotMatch(csp, /form-action/); // omitted: the themed login posts to Kratos' (cross-origin) action
+
+  // No HSTS on the dev http origin…
+  assert.equal(h["strict-transport-security"], undefined);
+  // …but present once the deployment is https.
+  assert.match(securityHeaders({ secure: true })["strict-transport-security"] ?? "", /max-age=\d+; includeSubDomains/);
+});
--- a/src/security-headers.ts
+++ b/src/security-headers.ts
@@ -0,0 +1,39 @@
+// Response security headers (todo §9): set once per request in app.ts so every response — page,
+// JSON, redirect, static, or error — carries them (writeHead merges with setHeader). A plugin route
+// may override any of them per-response via RouteResult.headers (e.g. relax the CSP to ship its own JS).
+
+// Strict default CSP for the zero-JS, server-rendered core:
+//  - script-src 'self'  : the core ships no JS; a plugin may still serve its own /public/<id>/*.js for
+//                         opt-in progressive enhancement. No 'unsafe-inline' ⇒ an injected <script>
+//                         can't run (the main XSS sink).
+//  - style-src adds 'unsafe-inline' : a few partials carry inline style= attributes.
+//  - img-src adds data:             : favicon + inline data URIs.
+//  - no form-action     : the themed login form posts to Kratos' (often cross-origin) action URL.
+//  - frame-ancestors 'none' : clickjacking guard (the modern X-Frame-Options).
+const CSP = [
+  "base-uri 'self'",
+  "default-src 'self'",
+  "frame-ancestors 'none'",
+  "img-src 'self' data:",
+  "object-src 'none'",
+  "script-src 'self'",
+  "style-src 'self' 'unsafe-inline'",
+].join("; ");
+
+export interface SecurityHeaderOptions {
+  secure?: boolean; // https deployment (mirrors SECURE_COOKIES) → also emit HSTS
+}
+
+// The header set applied to every response.
+export function securityHeaders(options: SecurityHeaderOptions = {}): Record<string, string> {
+  const headers: Record<string, string> = {
+    "content-security-policy": CSP,
+    "cross-origin-opener-policy": "same-origin",
+    "referrer-policy": "strict-origin-when-cross-origin",
+    "x-content-type-options": "nosniff",
+    "x-frame-options": "DENY",
+  };
+  // HSTS only over https — ignored (and meaningless) on the dev http origin.
+  if (options.secure) headers["strict-transport-security"] = "max-age=31536000; includeSubDomains";
+  return headers;
+}