From c131cf7a164803da3bf16939784d797fad874929 Mon Sep 17 00:00:00 2001
From: Asher Gomez <ashersaupingomez@gmail.com>
Date: Sat, 21 Jun 2025 07:51:18 +1000
Subject: [PATCH 1/2] refactor: move security headers middleware

---
 middlewares/security_headers.ts | 27 +++++++++++++++++++++++++++
 plugins/security_headers.ts     | 28 ++--------------------------
 2 files changed, 29 insertions(+), 26 deletions(-)
 create mode 100644 middlewares/security_headers.ts

diff --git a/middlewares/security_headers.ts b/middlewares/security_headers.ts
new file mode 100644
index 00000000..7ff7a632
--- /dev/null
+++ b/middlewares/security_headers.ts
@@ -0,0 +1,27 @@
+import type { FreshContext } from "$fresh/server.ts";
+
+export default async (_req: Request, ctx: FreshContext): Promise<Response> => {
+  if (ctx.destination !== "route" || ctx.url.pathname.startsWith("/api")) {
+    return await ctx.next();
+  }
+
+  const response = await ctx.next();
+
+  /**
+   * @todo(Jabolol) Implement `Content-Security-Policy` once
+   * https://github.com/denoland/fresh/pull/1787 lands.
+   */
+  response.headers.set(
+    "Strict-Transport-Security",
+    "max-age=63072000;",
+  );
+  response.headers.set(
+    "Referrer-Policy",
+    "strict-origin-when-cross-origin",
+  );
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("X-Frame-Options", "SAMEORIGIN");
+  response.headers.set("X-XSS-Protection", "1; mode=block");
+
+  return response;
+};
diff --git a/plugins/security_headers.ts b/plugins/security_headers.ts
index 7953f5a7..7a3ee062 100644
--- a/plugins/security_headers.ts
+++ b/plugins/security_headers.ts
@@ -1,5 +1,6 @@
 // Copyright 2023-2025 the Deno authors. All rights reserved. MIT license.
 import type { Plugin } from "$fresh/server.ts";
+import securityHeadersMiddleware from "../middlewares/security_headers.ts";
 
 export default {
   name: "security-headers",
@@ -7,32 +8,7 @@ export default {
     {
       path: "/",
       middleware: {
-        handler: async (req, ctx) => {
-          if (
-            ctx.destination !== "route" ||
-            new URL(req.url).pathname.startsWith("/api")
-          ) return await ctx.next();
-
-          const response = await ctx.next();
-
-          /**
-           * @todo(Jabolol) Implement `Content-Security-Policy` once
-           * https://github.com/denoland/fresh/pull/1787 lands.
-           */
-          response.headers.set(
-            "Strict-Transport-Security",
-            "max-age=63072000;",
-          );
-          response.headers.set(
-            "Referrer-Policy",
-            "strict-origin-when-cross-origin",
-          );
-          response.headers.set("X-Content-Type-Options", "nosniff");
-          response.headers.set("X-Frame-Options", "SAMEORIGIN");
-          response.headers.set("X-XSS-Protection", "1; mode=block");
-
-          return response;
-        },
+        handler: securityHeadersMiddleware,
       },
     },
   ],

From c1c98ca67b6f57f7d2dd584d7ef719a2fc837bf4 Mon Sep 17 00:00:00 2001
From: Asher Gomez <ashersaupingomez@gmail.com>
Date: Sat, 21 Jun 2025 07:53:32 +1000
Subject: [PATCH 2/2] fix

---
 middlewares/security_headers.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middlewares/security_headers.ts b/middlewares/security_headers.ts
index 7ff7a632..968fe734 100644
--- a/middlewares/security_headers.ts
+++ b/middlewares/security_headers.ts
@@ -1,3 +1,4 @@
+// Copyright 2023-2025 the Deno authors. All rights reserved. MIT license.
 import type { FreshContext } from "$fresh/server.ts";
 
 export default async (_req: Request, ctx: FreshContext): Promise<Response> => {