add security headers

serve.ts

@@ -1,6 +1,8 @@
 import Server from "lume/core/server.ts";
 import { basicAuth } from "lume/middlewares/basic_auth.ts"
 import precompress from "lume/middlewares/precompress.ts";
+import expires from "lume/middlewares/expires.ts";
+import csp from "https://raw.githubusercontent.com/lumeland/experimental-plugins/main/csp/mod.ts";
 
 const server = new Server({
   port: 8000,
@@ -23,13 +25,38 @@ server.use((req, next) => {
   return next(req);
 });
 
-server.use(precompress());
-
 function isProtected(req) {
   const url = new URL(req.url);
   return url.pathname.includes("/private/");
 }
 
+// assumes you are precompressing, say with the brotli plugin
+server.use(precompress());
+server.use(expires());
+// pass your preferred security header options:
+server.use(csp({
+  "Strict-Transport-Security": {
+    maxAge: DEFAULT_MAX_AGE,
+    includeSubDomains: true,
+    preload: true,
+  },
+  "Referrer-Policy": ["no-referrer", "strict-origin-when-cross-origin"],
+  "X-Frame-Options": true,
+  "X-Content-Type-Options": true,
+  "X-XSS-Protection": true,
+  "X-Permitted-Cross-Domain-Policies": true,
+  "X-Powered-By": true,
+});
+
+server.use(async (request, next) => {
+  const response = await next(request);
+
+  // Add additional headers to the request
+  response.headers.set("X-Powered-By", "Lume and sweat, blood, and tears");
+
+  return response;
+});
+
 server.start();
 
 console.log("Listening on http://localhost:8000");