feat: add security headers to enhance application security

LCSOGthb · LCSOGthb · commit 2deca3fd3811 · 2025-05-16T21:29:35.000+08:00
diff --git a/index.html b/index.html
@@ -3,6 +3,15 @@
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <!-- Add Security Headers -->
+    <meta http-equiv="Content-Security-Policy" 
+          content="default-src 'self'; connect-src 'self' https://api.ipify.org https://dns.google; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';">
+    <meta http-equiv="X-Frame-Options" 
+          content="SAMEORIGIN">
+    <meta http-equiv="X-Content-Type-Options" 
+          content="nosniff">
+    <meta name="referrer" 
+          content="strict-origin-when-cross-origin">
     <title>Tool Dashboard</title>
     <link rel="stylesheet" href="styles.css" />
   </head>
diff --git a/server.js b/server.js
@@ -0,0 +1,19 @@
+const express = require('express');
+const path = require('path');
+const app = express();
+
+app.use((req, res, next) => {
+    // Security Headers
+    res.setHeader('Content-Security-Policy', "default-src 'self'; connect-src 'self' https://api.ipify.org https://dns.google; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+    next();
+});
+
+app.use(express.static(path.join(__dirname)));
+
+const PORT = 3000;
+app.listen(PORT, () => {
+    console.log(`Server running at http://localhost:${PORT}`);
+});
