Skip to content

Commit

Permalink
Improve comment syntax from feedback
Browse files Browse the repository at this point in the history 
Co-authored-by: Titus <tituswormer@gmail.com>
  • Loading branch information
@Murderlon @wooorm
Murderlon and wooorm committed Sep 15, 2023
1 parent b38ca81 commit 69747fb
Showing 1 changed file with 64 additions and 34 deletions.
98 changes: 64 additions & 34 deletions lib/constants.js
View file
Original file line number Diff line number Diff line change
@@ -1,70 +1,100 @@
/** @constant */
export const DEFAULT_HEADERS = {
// Ensures that the page can't be displayed in a frame,
// regardless of where the request came from.
// It's a security feature to prevent "clickjacking" attacks,
// where an attacker might use an iframe to overlay a legitimate page over a deceptive page.
/**
* Ensures that the page can’t be displayed in a frame,
* regardless of where the request came from.
* It’s a security feature to prevent “clickjacking” attacks,
* where an attacker might use an iframe to overlay a legitimate page over a
* deceptive page.
*/
'X-Frame-Options': 'deny',
// The browser should enable the XSS filter and if a XSS attack is detected,
// rather than sanitizing the page, the browser will prevent rendering of the page entirely.
/**
* The browser should enable the XSS filter and if a XSS attack is detected,
* rather than sanitizing the page, the browser will prevent rendering of the
* page entirely.
*/
'X-XSS-Protection': '1; mode=block',
// Trust what the server says and not to perform MIME type sniffing.
// This can prevent certain security risks where the browser might interpret
// files as a different MIME type, which can be exploited in attacks.
/**
* Trust what the server says and not to perform MIME type sniffing.
* This can prevent certain security risks where the browser might interpret
* files as a different MIME type, which can be exploited in attacks.
*/
'X-Content-Type-Options': 'nosniff',
// By default, do not load content from any source (default-src 'none').
// Images can be loaded from data: URLs (like Base64 encoded images).
// Styles can be loaded inline (style-src 'unsafe-inline'),
// which usually means from within the HTML itself rather than from external files.
/**
* By default, do not load content from any source (`default-src 'none'`),
* images can be loaded from `data:` URLs (like Base64 encoded images),
* and styles can be loaded inline (`style-src 'unsafe-inline'`),
* which usually means from within the HTML itself rather than from external
* files.
*/
'Content-Security-Policy':
"default-src 'none'; img-src data:; style-src 'unsafe-inline'",
// This header is often called HSTS (HTTP Strict Transport Security).
// It's a security feature that ensures a website can only be accessed over HTTPS instead of HTTP.
// The max-age parameter specifies how long (in seconds) the browser should remember to enforce this policy.
// The includeSubDomains directive extends this rule to all subdomains of the domain sending the header.
// This ensures that even if a user tries to access the site or its subdomains via HTTP,
// their browser will automatically upgrade the request to HTTPS.
/**
* This header is often called HSTS (HTTP Strict Transport Security).
* It’s a security feature that ensures a website can only be accessed over
* HTTPS instead of HTTP.
* The `max-age` parameter specifies how long (in seconds) the browser should
* remember to enforce this policy.
* The `includeSubDomains` directive extends this rule to all subdomains of
* the domain sending the header.
* This ensures that even if a user tries to access the site or its
* subdomains via HTTP,
* their browser will automatically upgrade the request to HTTPS.
*/
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
}

/**
* http request headers that are acceptable to pass from
* the client to the remote server. Only those present and true, are forwarded.
* @constant
* HTTP request headers that are acceptable to pass from the client to the
* remote server.
* Only those present and true are forwarded.
*
* @type {Readonly<Map<string, boolean>>}
*/
export const REQUEST_HEADERS = new Map([
['Accept', true],
['Accept-Charset', true],
['Accept-Encoding', false], // images (aside from xml/svg), don't typically benefit from compression
// No `Accept-Encoding` because images (other than from XML or SVG), don’t
// typically benefit from compression:
['Accept-Encoding', false],
['Accept-Language', true],
['Cache-Control', true],
['If-None-Match', true],
['If-Modified-Since', true],
['X-Forwarded-For', false], // x-forwarded-for header is not blindly passed without additional custom processing
['Range', true] // required to support safari byte range requests for video
// `Range` is used by Safari for byte range requests on video:
['Range', true],
// No `X-Forwarded-For` because ???
['X-Forwarded-For', false]
])

/**
* http response headers that are acceptable to pass from
* the remote server to the client. Only those present and true, are forwarded.
* @constant
* HTTP response headers that are acceptable to pass from the remote server to
* the client.
* Only those present and true are forwarded.
*
* @type {Readonly<Map<string, boolean>>}
*/
export const RESPONSE_HEADERS = new Map([
['Accept-Ranges', true], // required to support Safari byte range requests for video
['Content-Length', true],
['Content-Range', true],

// `Accept-Ranges` is used by Safari for byte range requests on video:
['Accept-Ranges', true],
['Cache-Control', true],
['Content-Length', true],
['Content-Encoding', true],
['Content-Range', true],
['Content-Type', true],
['ETag', true],
['Expires', true],
['Last-Modified', true],
['Server', false], // override in response with either nothing, or ServerNameVer
// `Server` is disallowed because ???
['Server', false],
['Transfer-Encoding', true]
])

/** @constant */
/**
* MIME types that we allow.
*
* @type {ReadonlyArray<string>}
*/
export const IMAGE_MIME_TYPES = [
'image/bmp',
'image/cgm',
Expand Down

0 comments on commit 69747fb

Please sign in to comment.