Emerging Security Headers
Emerging Security Headers
Trusted Types: Preventing DOM XSS
// Trusted Types implementation
// Currently supported in Chrome/Edge
app.use((req, res, next) => {
// Enable Trusted Types via CSP
const trustedTypesPolicy =
"require-trusted-types-for 'script'; " +
"trusted-types default dompurify";
res.setHeader('Content-Security-Policy',
`${trustedTypesPolicy}; default-src 'self'`
);
next();
});
// Client-side Trusted Types implementation
if (window.trustedTypes && window.trustedTypes.createPolicy) {
// Create default policy
const defaultPolicy = window.trustedTypes.createPolicy('default', {
createHTML: (input) => {
// Sanitize HTML before insertion
return DOMPurify.sanitize(input);
},
createScriptURL: (url) => {
// Validate script URLs
const allowed = ['https://cdn.example.com/', '/static/js/'];
if (allowed.some(prefix => url.startsWith(prefix))) {
return url;
}
throw new Error(`Blocked script URL: ${url}`);
},
createScript: (script) => {
// Block all inline scripts by default
throw new Error('Inline scripts blocked by Trusted Types');
}
});
// Create specific policies for different use cases
const apiPolicy = window.trustedTypes.createPolicy('api-response', {
createHTML: (input) => {
// Special handling for API responses
const cleaned = input.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
return DOMPurify.sanitize(cleaned, {
ALLOWED_TAGS: ['p', 'span', 'div', 'a', 'img'],
ALLOWED_ATTR: ['href', 'src', 'alt', 'class']
});
}
});
}
Cross-Origin-Opener-Policy (COOP)
// COOP implementation for process isolation
app.use((req, res, next) => {
// Different COOP values for different security requirements
if (req.path.startsWith('/sensitive')) {
// Maximum isolation for sensitive pages
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
} else if (req.path.startsWith('/public')) {
// Allow popups to retain reference
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin-allow-popups');
} else {
// Default unsafe behavior (for compatibility)
res.setHeader('Cross-Origin-Opener-Policy', 'unsafe-none');
}
// Complement with COEP for full isolation
res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
next();
});
// Testing COOP behavior
function testCOOPIsolation() {
// Open window with COOP
const popup = window.open('https://example.com/isolated');
// With COOP same-origin, this will be null
console.log('Popup reference:', popup);
// Check if we're isolated
if (window.crossOriginIsolated) {
console.log('Page is cross-origin isolated');
// Can use SharedArrayBuffer and other powerful features
const buffer = new SharedArrayBuffer(1024);
}
}
Cross-Origin-Resource-Policy (CORP)
// CORP for resource protection
app.use('/api/sensitive/*', (req, res, next) => {
// Prevent resources from being loaded cross-origin
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
next();
});
app.use('/api/public/*', (req, res, next) => {
// Allow cross-origin access from same site
res.setHeader('Cross-Origin-Resource-Policy', 'same-site');
next();
});
app.use('/cdn/*', (req, res, next) => {
// Allow any origin (for CDN resources)
res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
next();
});