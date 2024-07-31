Set common security headers such as X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options.

export default { async fetch ( request ) { const DEFAULT_SECURITY_HEADERS = { "X-Content-Type-Options" : "nosniff" , "Referrer-Policy" : "strict-origin-when-cross-origin" , "Cross-Origin-Embedder-Policy" : 'require-corp; report-to="default";' , "Cross-Origin-Opener-Policy" : 'same-site; report-to="default";' , "Cross-Origin-Resource-Policy" : "same-site" , } ; const BLOCKED_HEADERS = [ "Public-Key-Pins" , "X-Powered-By" , "X-AspNet-Version" , ] ; let response = await fetch ( request ) ; let newHeaders = new Headers ( response . headers ) ; if ( newHeaders . has ( "Content-Type" ) && ! newHeaders . get ( "Content-Type" ) . includes ( "text/html" ) ) { return new Response ( response . body , { status : response . status , statusText : response . statusText , headers : newHeaders , } ) ; } Object . keys ( DEFAULT_SECURITY_HEADERS ) . map ( ( name ) => { newHeaders . set ( name , DEFAULT_SECURITY_HEADERS [ name ] ) ; } ) ; BLOCKED_HEADERS . forEach ( ( name ) => { newHeaders . delete ( name ) ; } ) ; return new Response ( response . body , { status : response . status , statusText : response . statusText , headers : newHeaders , } ) ; } , } ;