# frozen_string_literal: true

# rubocop:disable Style/PercentLiteralDelimiters,Lint/PercentStringArray
SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: SecureHeaders::OPT_OUT, # mark all cookies as "Secure"
    httponly: SecureHeaders::OPT_OUT, # mark all cookies as "HttpOnly"
    samesite: {
      lax: true, # mark all cookies as SameSite=lax
    },
  }
  config.csp = {
    # FIXME: only enable localhost for development
    default_src: %w('self' http://localhost:3000 ws://localhost:3035 http://localhost:3035 https://kit-free.fontawesome.com),

    # FIXME: only enable unsafe-* for development
    script_src: %w('self' 'unsafe-eval' 'unsafe-inline' https://kit.fontawesome.com/589a3d92cd.js),
  }
end

# SecureHeaders::Configuration.default do |config|
#  config.cookies = {
#    secure: SecureHeaders::OPT_OUT, # mark all cookies as "Secure"
#    httponly: SecureHeaders::OPT_OUT, # mark all cookies as "HttpOnly"
#    samesite: {
#      lax: true, # mark all cookies as SameSite=lax
#    },
#  }
#  # Add "; preload" and submit the site to hstspreload.org for best protection.
#  config.hsts = "max-age=#{1.week.to_i}"
#  config.x_frame_options = 'DENY'
#  config.x_content_type_options = 'nosniff'
#  config.x_xss_protection = '1; mode=block'
#  config.x_download_options = 'noopen'
#  config.x_permitted_cross_domain_policies = 'none'
#  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
#  config.csp = {
#    # "meta" values. these will shape the header, but the values are not included in the header.
#    # preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
#    # disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.

#    # directive values: these values will directly translate into source directives
#    # default_src: %w('none'),

#    # FIXME: only enable localhost for development
#    default_src: %w('self' http://localhost:3000 ws://localhost:3035 http://localhost:3035),

#    # FIXME: only enable unsafe-* for development
#    script_src: %w('self' 'unsafe-eval' 'unsafe-inline'),

#    base_uri: %w('self'),
#    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
#    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
#    connect_src: %w(wss:),
#    font_src: %w('self' data:),
#    form_action: %w('self'),
#    frame_ancestors: %w('none'),
#    img_src: %w('self' data:),
#    manifest_src: %w('self'),
#    media_src: %w(),
#    object_src: %w('self'),
#    sandbox: true, # true and [] will set a maximally restrictive setting
#    plugin_types: %w(),
#    # script_src: %w('self'),
#    style_src: %w('self' 'unsafe-inline'),
#    worker_src: %w('self'),
#    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
#    report_uri: %w(),
#  }
#  # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
#  # config.csp_report_only = config.csp.merge(
#  #  img_src: %w(),
#  #  report_uri: %w(),
#  # )
# end