Lighthouse is encouraging applications add the following headers which are essentially default behaviors of Architect anyhow. I'd like to propose that if a developer is using @architect/functions and returning { html: '<strong>my html</strong>' } we add the following headers automatically:
headers['Strict-Transport-Security'] = 'max-age=0'
headers['X-Content-Type-Options'] = 'nosniff'
headers['X-Frame-Options'] = 'DENY'
headers['X-XSS-Protection'] = '1'
Strict-Transport-Security tells the browser to use HTTPS. Architect applications use API Gateway which is incapable of HTTP so this one is a very safe default.X-Content-Type-Options indicates the mimes in the Content-Type should be scrictly followedX-Frame-Options prevents loading the page in an iframeX-XSS-Protection is Chrome-only feature and setting it to 1 is declaring the browser default behavior
Of course, developers should be able to override at will by returning their own headers in the response.
Lighthouse is encouraging applications add the following headers which are essentially default behaviors of Architect anyhow. I'd like to propose that if a developer is using
@architect/functionsand returning{ html: '<strong>my html</strong>' }we add the following headers automatically:Strict-Transport-Securitytells the browser to use HTTPS. Architect applications use API Gateway which is incapable of HTTP so this one is a very safe default.X-Content-Type-Optionsindicates the mimes in the Content-Type should be scrictly followedX-Frame-Optionsprevents loading the page in an iframeX-XSS-Protectionis Chrome-only feature and setting it to1is declaring the browser default behaviorOf course, developers should be able to override at will by returning their own
headersin the response.