From 303f93cd584f6323dc8a0594848771a7cf7c5848 Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Wed, 13 Nov 2024 17:56:16 -0700
Subject: [PATCH 1/2] Fastly: fix the cache rule for the version markers.

Related:
  - https://github.com/kubernetes/k8s.io/issues/7447

We do not capture the latest-1.txt and stable-1.txt due to the regex
rule define for all the version markers.
---
 infra/fastly/terraform/dl-sandbox.k8s.dev/vcl/binaries.vcl | 2 +-
 infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/infra/fastly/terraform/dl-sandbox.k8s.dev/vcl/binaries.vcl b/infra/fastly/terraform/dl-sandbox.k8s.dev/vcl/binaries.vcl
index af35393bf8e..afca1c558e7 100644
--- a/infra/fastly/terraform/dl-sandbox.k8s.dev/vcl/binaries.vcl
+++ b/infra/fastly/terraform/dl-sandbox.k8s.dev/vcl/binaries.vcl
@@ -45,7 +45,7 @@ sub vcl_fetch {
   }
 
   # Ensure version markers are not cached at the edge
-  if (req.url.path ~ "^/release/(latest|stable)(-\d+(\.\d+))?\.txt\z") {
+  if (req.url.path ~ "^/release/(latest|stable)(-\d+(\.\d+)?)?\.txt\z") {
     set beresp.cacheable = false;
     set beresp.ttl = 0s;
     return (pass);
diff --git a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
index ef1f05fcfcc..7824bb59954 100644
--- a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
+++ b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
@@ -45,7 +45,7 @@ sub vcl_fetch {
   }
 
   # Ensure version markers are not cached at the edge
-  if (req.url.path ~ "^/release/(latest|stable)(-\d+(\.\d+))?\.txt\z") {
+  if (req.url.path ~ "^/release/(latest|stable)(-\d+(\.\d+)?)?\.txt\z") {
     set beresp.cacheable = false;
     set beresp.ttl = 0s;
     return (pass);

From 17c3fe5d91530554e4171dc3fb41ca0752747731 Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Tue, 10 Sep 2024 17:57:17 +0200
Subject: [PATCH 2/2] Fastly: Include security headers for dl

Add Security headers to the VCL service.

Ref:
 - https://web.dev/secure/
 - https://infosec.mozilla.org/guidelines/web_security
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
---
 infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
index 7824bb59954..799d10b5b61 100644
--- a/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
+++ b/infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
@@ -109,6 +109,17 @@ sub vcl_hit {
 
 sub vcl_deliver {
 
+  set resp.http.Content-Security-Policy = "default-src 'self'";
+  set resp.http.X-Frame-Options = "SAMEORIGIN";
+  set resp.http.X-XSS-Protection = "1";
+  set resp.http.X-Content-Type-Options = "nosniff";
+  set resp.http.Referrer-Policy = "origin-when-cross-origin";
+
+  if (req.protocol == "https") {
+    # Only connect to this site and subdomains via HTTPS for the next two years
+    set resp.http.Strict-Transport-Security = "max-age=63072000; includeSubDomains";
+  }
+
   if (resp.http.cache-control:max-age) {
     unset resp.http.expires;
   }