Document Policy

1 min read Web Security Fundamentals

Document Policy

Implementing Document Policy

// Document Policy for performance and security constraints
app.use((req, res, next) => {
    const documentPolicy = [
        // Limit oversized images
        'oversized-images=?0',
        // Disable document.write
        'document-write=?0',
        // Require HTTPS for all subresources
        'require-https=?1',
        // Disable sync XHR
        'sync-xhr=?0',
        // Limit font display to swap
        'font-display-late-swap=?0',
        // Force image lazy loading
        'force-load-at-top=?0'
    ].join(', ');
    
    res.setHeader('Document-Policy', documentPolicy);
    
    // Report-only mode for testing
    res.setHeader('Document-Policy-Report-Only', 
        documentPolicy + ', report-to=document-policy'
    );
    
    next();
});

// Feature detection and progressive enhancement
const documentPolicyConfig = {
    development: {
        'oversized-images': '?1', // Allow in dev
        'document-write': '?1',    // Allow in dev
        'sync-xhr': '?1'          // Allow in dev
    },
    production: {
        'oversized-images': '?0',
        'document-write': '?0',
        'sync-xhr': '?0',
        'vertical-scroll': '?0',  // Prevent vertical scroll
        'js-profiling': '?0'      // Disable JS profiling
    }
};