From 3579b78423f6c90ddd2ceb834bb0c0380726a790 Mon Sep 17 00:00:00 2001
From: Arman <arman@appwrite.io>
Date: Thu, 17 Oct 2024 11:42:57 +0200
Subject: [PATCH 1/3] feat:improve security

---
 src/app.html | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/app.html b/src/app.html
index 206daa685f..4392a6fa9a 100644
--- a/src/app.html
+++ b/src/app.html
@@ -5,7 +5,9 @@
         <meta
             name="description"
             content="Appwrite is an open-source platform for building applications at any scale, using your preferred programming languages and tools." />
-
+        <meta
+            http-equiv="Content-Security-Policy"
+            content="default-src 'self'; img-src https://*; child-src 'none'; " />
         <link rel="icon" type="image/svg+xml" href="/console/logos/appwrite-icon.svg" />
         <link rel="mask-icon" type="image/png" href="/console/logos/appwrite-icon.png" />
 

From 60357bbbe498ed4743f7148bf6c0d8117d0eb922 Mon Sep 17 00:00:00 2001
From: Arman <arman@appwrite.io>
Date: Thu, 17 Oct 2024 15:59:09 +0200
Subject: [PATCH 2/3] feat: security headers

---
 src/hooks.server.ts | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index e54c183dbb..28105fc99a 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -9,6 +9,22 @@ Sentry.init({
     tracesSampleRate: 1.0
 });
 
-export const handle = sequence(sentryHandle());
+const securityHeaders = {
+    'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
+    'Content-Security-Policy': `default-src 'self'; script-src 'report-sample' 'self' https://js.stripe.com/v3; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' https://growth.appwrite.io https://*.sentry.io https://plausible.io; font-src 'self' https://fonts.appwrite.io; frame-src 'self' https://js.stripe.com; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self' blob:;` // We can also add a report-uri for CSP violations e.g. 'report-uri https://some-endpoint/;'
+};
+
+async function setSecurityHeaders({ event, resolve }) {
+    const response = await resolve(event);
+    if (isCloud && isProd) {
+        Object.entries(securityHeaders).forEach(([header, value]) =>
+            response.headers.set(header, value)
+        );
+    }
+
+    return response;
+}
+
+export const handle = sequence(setSecurityHeaders, sentryHandle());
 
 export const handleError = handleErrorWithSentry();

From d18d9fb90994aa9a064d7ba692df2aa01300ba3f Mon Sep 17 00:00:00 2001
From: Arman <arman@appwrite.io>
Date: Fri, 18 Oct 2024 15:07:41 +0200
Subject: [PATCH 3/3] refactor: move header to nginx file

---
 docker/nginx.conf   |  4 ++++
 src/hooks.server.ts | 18 +-----------------
 2 files changed, 5 insertions(+), 17 deletions(-)

diff --git a/docker/nginx.conf b/docker/nginx.conf
index 7f7313e00b..dbc08b8b75 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -30,6 +30,10 @@ server {
         add_header X-XSS-Protection "1; mode=block;";
         # disable content-type sniffing on some browsers.
         add_header X-Content-Type-Options nosniff;
+        # enable HSTS
+        add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
+        # enable CSP
+        add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self' https://js.stripe.com/v3; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' https://growth.appwrite.io https://*.sentry.io https://plausible.io; font-src 'self' https://fonts.appwrite.io; frame-src 'self' https://js.stripe.com; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self' blob:;";
     }
 
     location / {
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index 28105fc99a..e54c183dbb 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -9,22 +9,6 @@ Sentry.init({
     tracesSampleRate: 1.0
 });
 
-const securityHeaders = {
-    'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
-    'Content-Security-Policy': `default-src 'self'; script-src 'report-sample' 'self' https://js.stripe.com/v3; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' https://growth.appwrite.io https://*.sentry.io https://plausible.io; font-src 'self' https://fonts.appwrite.io; frame-src 'self' https://js.stripe.com; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self' blob:;` // We can also add a report-uri for CSP violations e.g. 'report-uri https://some-endpoint/;'
-};
-
-async function setSecurityHeaders({ event, resolve }) {
-    const response = await resolve(event);
-    if (isCloud && isProd) {
-        Object.entries(securityHeaders).forEach(([header, value]) =>
-            response.headers.set(header, value)
-        );
-    }
-
-    return response;
-}
-
-export const handle = sequence(setSecurityHeaders, sentryHandle());
+export const handle = sequence(sentryHandle());
 
 export const handleError = handleErrorWithSentry();