fix: set secure headers

codeforjapan · Mar 10, 2025 · 91076a6 · 91076a6
1 parent 35d21e6
commit 91076a6
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/app/entry.server.tsx b/app/entry.server.tsx
@@ -15,5 +15,15 @@ export default async function handleRequest(
     routerContext,
     loadContext,
   );
+
+  response.headers.set(
+    "Strict-Transport-Security",
+    "max-age=63072000; includeSubDomains; preload",
+  );
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("X-Frame-Options", "DENY");
+  response.headers.set("X-Permitted-Cross-Domain-Policies", "none");
+
   return response;
 }