You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: harden frontend crate with security headers, asset validation, and gzip compression (#228)
* feat: add default security and privacy HTTP headers
Implement 8 security/privacy headers in create_default_headers():
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Referrer-Policy: no-referrer
- X-XSS-Protection: 0 (disabled, rely on CSP instead)
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- Permissions-Policy: deny camera, mic, geolocation, etc.
- Cross-Origin-Opener-Policy: same-origin
- Cross-Origin-Resource-Policy: same-origin
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add asset validation with file type allowlist, size limits, and path checks
- Add DEFAULT_ALLOWED_EXTENSIONS allowlist (22 web frontend extensions)
- Add 2MB default file size limit (DEFAULT_MAX_FILE_SIZE)
- Validate paths: reject .., //, and invalid URL characters
- Detect duplicate asset paths
- Add FrontendConfig for customization (extra extensions, custom size limit)
- Add setup_frontend_with_config() and asset_router_configs_with_config()
- asset_router_configs() now returns Result to surface validation errors
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add gzip compression for compressible frontend assets
- Add flate2 dependency for gzip compression
- Compress text-based assets (HTML, JS, CSS, JSON, SVG, XML, TXT, source maps)
at init time and serve both identity and gzip variants
- AssetConfig for compressible files now includes both Identity and Gzip encodings
- IC asset router automatically negotiates encoding via Accept-Encoding header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* test: add security header and gzip compression assertions to acceptance suite
- Verify all 8 security/privacy headers on frontend fallback response
- Verify gzip compression: request with Accept-Encoding returns gzip magic bytes
- Verify content-encoding: gzip header in compressed response
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: update changelogs and README for frontend crate improvements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: use same-origin-allow-popups for COOP header to support II popups
Cross-Origin-Opener-Policy: same-origin blocks communication between
the dapp window and the Internet Identity popup (different canister
origins). Change to same-origin-allow-popups which still protects
against being opened by other origins but allows the dapp to open
II authentication popups that can communicate back.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
-**Configurable**: Use `FrontendConfig` to allow additional file types or adjust size limits
40
44
- Exposes `with_asset_router` and `with_asset_router_mut` for access to the asset router, see example below.
41
45
- Exposes `asset_router_configs` if you want to implement your own asset router, see [this example](https://github.com/Web3NL/my-canister-dapp/blob/e8fdc0ac81f7bdc702418c05130ace3f9f5399fb/examples/my-hello-world/src/backend/src/lib.rs).
42
46
47
+
## Configuration
48
+
49
+
To allow additional file types or customize settings:
50
+
51
+
```rust,ignore
52
+
use ic_cdk::init;
53
+
use include_dir::{include_dir, Dir};
54
+
use my_canister_frontend::{setup_frontend_with_config, FrontendConfig};
55
+
56
+
static ASSETS: Dir = include_dir!("$CARGO_MANIFEST_DIR/../dapp-frontend/dist");
0 commit comments