From 52075aa7b622fd936a7434d2aaf51eb1109e6553 Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Tue, 10 Sep 2024 17:57:17 +0200
Subject: [PATCH] Fastly: Include security headers for dl

Add Security headers to the VCL service.

Ref:
 - https://web.dev/secure/
 - https://infosec.mozilla.org/guidelines/web_security
---
 infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
index ef1f05fcfcc2..df92a49277a0 100644
--- a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
+++ b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
@@ -109,6 +109,16 @@ sub vcl_hit {
 
 sub vcl_deliver {
 
+  set resp.http.Content-Security-Policy = "default-src 'self'";
+  set resp.http.X-Frame-Options = "SAMEORIGIN";
+  set resp.http.X-XSS-Protection = "1";
+  set resp.http.X-Content-Type-Options = "nosniff";
+  set resp.http.Referrer-Policy = "origin-when-cross-origin";
+
+  if (req.protocol == "https") {
+    set resp.http.Strict-Transport-Security = "max-age=63072000; includeSubDomains";
+  }
+
   if (resp.http.cache-control:max-age) {
     unset resp.http.expires;
   }