SvelteKit Security Headers
Enhance visitor security in SvelteKit apps. Add those missing HTTP response headers.
Install
npm install @faranglao/sveltekit-security-headers
Usage
// src/hooks.server.ts
import { SvelteKitSecurityHeaders } from '@faranglao/sveltekit-security-headers';
export const handle = SvelteKitSecurityHeaders().handle;
To add HTTP response headers to your application install the package and export the handle
function from SvelteKitSecurityHeaders
. The handle
function is a SvelteKit Server Hook exported in src/hooks.server.ts
.
Default Response Headers
The SvelteKitSecurityHeaders
server hook adds the following response headers to routed HTTP requests:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
Customizing Response Headers
The code below shows how to apply both pre-configured headers and add customer values to your HTTP responses.
// samples/custom/hooks.server.ts
// copy to src/hooks.server.ts
import { SvelteKitSecurityHeaders, RuleSet } from '@faranglao/sveltekit-security-headers';
export const handle = SvelteKitSecurityHeaders({
headers: [
...RuleSet.SvelteKitSpecific,
...RuleSet.OwaspRecommendedMinimal,
// Access-Control-Allow-Origin header to allow requests
// from your domain .. override value
{
name: 'Access-Control-Allow-Origin',
value: 'https://sveltekit-security-headers.vercel.app'
}
// .. add custom headers
],
verbose: true
}).handle;
Multiple Server Hooks
The sequence helper function is used to call multiple server hook functions as shown below.
// samples/sequence/hooks.server.ts
// copy to src/hooks.server.ts
import type { Handle } from '@sveltejs/kit';
import { sequence } from '@sveltejs/kit/hooks';
import { SvelteKitSecurityHeaders } from '@faranglao/sveltekit-security-headers';
export const handle: Handle = sequence(
/* existing Hook code , */
SvelteKitSecurityHeaders().handle
);
Test Security Headers
Having already delivered over 250 million scans the Security Headers site is a useful tool for analyzing HTTP headers.
The scan returns a score from an A+ grade down to an F grade. You can find more information on scoring on Scott Helme’s Security Headers blog.
The SvelteKitSecurityHeaders
server hook adds the HTTP response headers required to achieve an A grade score on securityheaders.com
Source Code
Source code for the package is maintained on GitHub.
The package is published on NPM.