blob: 42777eeb6f359bfcf3eb4e9d5c8ec8b15ec78ec2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
{ lib
, ...
}:
rec {
subValue = v:
if builtins.isList v
then
builtins.concatStringsSep " "
(builtins.map
(v:
(if lib.strings.hasPrefix "http" v
then v
else "'${v}'"))
v)
else toString v;
headerValue = sep: val:
if builtins.isAttrs val
then
builtins.concatStringsSep "; "
(lib.attrsets.mapAttrsToList
(k: v:
if builtins.isBool v then k else
"${k}${sep}${subValue v}"
)
val)
else toString val;
genHeader = header:
let
sep = if header == "content-security-policy" then " " else "=";
in
value: "${header} \"${headerValue sep value}\"";
headers = matcher: headers: ''
header ${matcher} {
${builtins.concatStringsSep "\n"
(lib.attrsets.mapAttrsToList genHeader headers)}
}
'';
security-headers = { matcher ? "", overrides ? { } }: headers matcher ({
strict-transport-security = {
max-age = 2 * 365 * 24 * 60 * 60;
};
x-content-type-options = "nosniff";
x-frame-options = "DENY";
} // overrides);
}
|