Merge pull request #61 from codeforjapan/fix/secure-header

セキュリティリスクを低減させるレスポンスヘッダーを入れる

Author: sushichan044

app/entry.server.tsx

@@ -15,5 +15,15 @@ export default async function handleRequest(
     routerContext,
     loadContext,
   );
+
+  response.headers.set(
+    "Strict-Transport-Security",
+    "max-age=63072000; includeSubDomains; preload",
+  );
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("X-Frame-Options", "DENY");
+  response.headers.set("X-Permitted-Cross-Domain-Policies", "none");
+
   return response;
 }