Add security headers

app.js

@@ -14,6 +14,30 @@ if (process.env.NODE_ENV == 'production') {
 	app.use(require('koa-logger')());
 }
 
+app.use(require('koa-helmet')({
+	hsts: false,
+	frameguard: {
+		action: 'deny'
+	},
+	referrerPolicy: {
+		policy: 'strict-origin'
+	},
+	contentSecurityPolicy: {
+		directives: {
+			'default-src': ["'none'"],
+			'base-uri': ["'none'"],
+			'connect-src': ["'self'"],
+			'font-src': ["'self'", 'https://fonts.gstatic.com'],
+			'form-action': ["'self'"],
+			'frame-ancestors': ["'none'"],
+			'img-src': ["'self'", 'https:', 'data:'],
+			'object-src': ["'none'"],
+			'script-src': ["'self'", 'https://cdnjs.cloudflare.com', 'https://code.jquery.com'],
+			'style-src': ["'self'", 'https://fonts.googleapis.com', 'https://cdnjs.cloudflare.com'],
+			'block-all-mixed-content': true
+		}
+	}
+}));
 app.use(require('koa-compress')());
 app.use(require('koa-static-cache')(path.join(__dirname, 'public'), {
 	maxAge: config.cacheAge

package.json

@@ -32,6 +32,7 @@
     "koa-compress": "^5.0.1",
     "koa-conditional-get": "^2.0.0",
     "koa-etag": "^3.0.0",
+    "koa-helmet": "^5.2.0",
     "koa-logger": "^3.2.1",
     "koa-router": "^9.1.0",
     "koa-static-cache": "^5.1.3",