Fix unsafe null assertion and add security headers

[Copilot]

Pull Request (Website)

1. Type of Change:
What does this PR do? (Check one)

• Bug Fix (e.g., Fixing a broken tool or layout issue)
• New Feature (e.g., Adding a new tool or page)
• Content Update (e.g., New blog post or text changes)
• Code Refactor (e.g., Cleaning up TypeScript or CSS)

2. Related Issue:
Does this fix an existing issue? Please link it here (e.g., "Closes #24").

N/A

3. Summary of Changes:
Briefly explain what you changed and why. (e.g., "Fixed mobile navbar not opening on iOS," "Added a new blog post about Securly SSL decryption")

Three security improvements to src/worker.ts:

Unsafe null assertion removed
handleAssetResponse() can return null when response is neither ok nor 304. The non-null assertion operator (!) caused runtime errors. Now properly checks for null:

// Before: Crashes if handleAssetResponse returns null
return handleAssetResponse(notFoundResponse)!;

// After: Safe null handling with fallthrough
const handledNotFound = handleAssetResponse(notFoundResponse);
if (handledNotFound) {
  return handledNotFound;
}
// Falls through to 404 handling

Content Security Policy added
CSP header prevents XSS and controls resource loading. Updated to allow required external resources:

• Google Fonts: fonts.googleapis.com (stylesheets) and fonts.gstatic.com (font files)
• External APIs: dns-monitor.a9x.workers.dev and raw.githubusercontent.com
• Inline styles: 'unsafe-inline' for existing HTML inline style attributes

Full CSP: default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; script-src 'self'; connect-src 'self' https://dns-monitor.a9x.workers.dev https://raw.githubusercontent.com; object-src 'none'; base-uri 'self'; frame-ancestors 'self'

HSTS header added
Enforces HTTPS with max-age=31536000; includeSubDomains; preload to prevent protocol downgrade attacks.

4. Verification & Testing:
How did you verify these changes?

• I have built the worker locally (npm run build) without errors.
• I have tested the changes on a local development server (npm run dev).
• (If UI related) I have checked how this looks on mobile/Chromebooks.

5. Screenshots (Optional):
If this is a visual change, please paste a screenshot or GIF below to help us review it faster.

N/A - Backend security changes only

---

Final Checklist:

• I have read the Contributing Guidelines.
• My code follows the project's style (clean TypeScript, proper asset placement).

Original prompt

Please apply the following diffs and create a pull request.
Once the PR is ready, give it a title based on the messages of the fixes being applied.

[{"message":"Using the non-null assertion operator (!) is unsafe here. The handleAssetResponse function can return null when the response is not ok and not 304, which would cause a runtime error. Check if the result is null before returning or handle the null case appropriately.","fixFiles":[{"filePath":"src/worker.ts","diff":"diff --git a/src/worker.ts b/src/worker.ts\n--- a/src/worker.ts\n+++ b/src/worker.ts\n@@ -132,7 +132,11 @@\n \n     // Handle 304 responses using the helper\n     if (notFoundResponse.status === 304) {\n-      return handleAssetResponse(notFoundResponse)!;\n+      const handledNotFound = handleAssetResponse(notFoundResponse);\n+      if (handledNotFound) {\n+        return handledNotFound;\n+      }\n+      // If the helper returns null, fall through to the 404 handling below.\n     }\n     \n     // For successful responses, wrap in 404 status\n"}]},{"message":"Missing Content Security Policy (CSP) header. Consider adding a CSP header to prevent XSS attacks and control resource loading for better security.","fixFiles":[{"filePath":"src/worker.ts","diff":"diff --git a/src/worker.ts b/src/worker.ts\n--- a/src/worker.ts\n+++ b/src/worker.ts\n@@ -42,6 +42,12 @@\n   if (!headers.has('Referrer-Policy'))\n     headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');\n   if (!headers.has('X-Frame-Options')) headers.set('X-Frame-Options', 'SAMEORIGIN');\n+  if (!headers.has('Content-Security-Policy')) {\n+    headers.set(\n+      'Content-Security-Policy',\n+      \"default-src 'self'; img-src 'self' data:; style-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'\"\n+    );\n+  }\n }\n \n function applySecurityHeaders(original: Response): Response {\n"}]},{"message":"Missing Strict-Transport-Security (HSTS) header. This header should be added to enforce HTTPS connections and prevent protocol downgrade attacks.","fixFiles":[{"filePath":"src/worker.ts","diff":"diff --git a/src/worker.ts b/src/worker.ts\n--- a/src/worker.ts\n+++ b/src/worker.ts\n@@ -42,6 +42,9 @@\n   if (!headers.has('Referrer-Policy'))\n     headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');\n   if (!headers.has('X-Frame-Options')) headers.set('X-Frame-Options', 'SAMEORIGIN');\n+  if (!headers.has('Strict-Transport-Security')) {\n+    headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');\n+  }\n }\n \n function applySecurityHeaders(original: Response): Response {\n"}]}]

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	hapara-fail	95ba129	Commit Preview URL Branch Preview URL	Feb 11 2026, 01:45 AM

[nota9x]

Please fix Google fonts and internal URLs access. Google fonts, https://dns-monitor.a9x.workers.dev/, and https://raw.githubusercontent.com/hapara-fail/blocklist/refs/heads/main/README.md is blocked by Content Security Policy.

here is browser console errors:

Content-Security-Policy: The page’s settings blocked a style (style-src-elem) at https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;800&display=swap from being applied because it violates the following directive: “style-src 'self'” dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-+jyLQI5MwJOCQ5PLItHWdAHUeNFT1k/QWzRJTgvesdo=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: padding: 12px 32px; font-size: 1.1rem dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-M5wNBCr9GbVtfoMhgCCZtJ2fm17gvGHA6kxsxjkJKoU=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: background-color: var(--bg-offset); bord… dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-M1LyEvTV6/f87wo57He+5gpueOMjFf3pCfzNCEfc2CQ=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: transition-delay: 0.1s dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-c0qEE1IsAe1c0Z0jwpO6wvhLG+lfOBCPTYwV58f1PHk=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: transition-delay: 0.2s dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-Qik5HKGT2IBdPgust3dczXPhxOI0TsHqlv28CvAEN+Y=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: transition-delay: 0.3s dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-rwQ3PC77+FyqVY95ie84cuKH+JCO+YWFSpxrJqPfc7E=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: margin: 1.5rem 0; border: 0; border-top:… 5 dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-M5wNBCr9GbVtfoMhgCCZtJ2fm17gvGHA6kxsxjkJKoU=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: background-color: var(--bg-offset); bord… dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-6jQJjHLlzgsID/d/CpCeXPF7x/ieNL07Hx4y2SAOOfM=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: display: flex; align-items: center; gap:… dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-S7898Hb+PHYyBv4itdTHM50tQsn3LF2RDisrLLd4BLE=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: margin-bottom: 0 dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-oWTzYE1M5zjsA6a+08+B3hrRKJD0z/XgNCqXPphvcIA=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: margin-bottom: 0; text-decoration: none dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-7EbwLmLzYHPKJ0eBV7UTa8iLIOyiK3AI+VwLAEkZ25s=', requires 'unsafe-hashes' for style attributes) or a nonce.
Source: font-size: 0.9em dns
Content-Security-Policy: The page’s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: “style-src 'self'”. Consider using a hash ('sha256-/Hkx/iuS9GptUMVWS9YQmyoT4/YWUcVfGHzme/Oq8Kk=', requires 'unsafe-hashes' for style attributes) or a nonce. nav.js:385:21
Error loading blocklist: TypeError: NetworkError when attempting to fetch resource.
fetchServices https://copilot-fix-null-assertion-in-worker-hapara-fail.a9x.workers.dev/js/dns-service.js:441
https://copilot-fix-null-assertion-in-worker-hapara-fail.a9x.workers.dev/js/dns-service.js:673
dns-service.js:517:15
Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://raw.githubusercontent.com/hapara-fail/blocklist/refs/heads/main/README.md because it violates the following directive: “default-src 'self'” dns-service.js:441:30
DNS Status Check Failed: TypeError: NetworkError when attempting to fetch resource.
checkDnsStatus https://copilot-fix-null-assertion-in-worker-hapara-fail.a9x.workers.dev/js/dns-service.js:274
https://copilot-fix-null-assertion-in-worker-hapara-fail.a9x.workers.dev/js/dns-service.js:358
setTimeout handler* https://copilot-fix-null-assertion-in-worker-hapara-fail.a9x.workers.dev/js/dns-service.js:354
dns-service.js:301:15
Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://dns-monitor.a9x.workers.dev/ because it violates the following directive: “default-src 'self'” dns-service.js:274:30

[Copilot]

Please fix Google fonts and internal URLs access. Google fonts, https://dns-monitor.a9x.workers.dev/, and https://raw.githubusercontent.com/hapara-fail/blocklist/refs/heads/main/README.md is blocked b...

Fixed in commit 95ba129. The CSP policy has been updated to allow:

• Google Fonts: fonts.googleapis.com (stylesheets) and fonts.gstatic.com (font files)
• External API calls: dns-monitor.a9x.workers.dev and raw.githubusercontent.com
• Inline styles: Added 'unsafe-inline' to support existing inline style attributes

The updated CSP:

default-src 'self'; 
img-src 'self' data:; 
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; 
font-src 'self' https://fonts.gstatic.com; 
script-src 'self'; 
connect-src 'self' https://dns-monitor.a9x.workers.dev https://raw.githubusercontent.com; 
object-src 'none'; 
base-uri 'self'; 
frame-ancestors 'self'

[Copilot]

Pull request overview

This PR enhances the security of the Cloudflare Workers-based static site by fixing a runtime safety issue and adding two critical security headers. The changes prevent potential crashes from unsafe null handling and implement industry-standard security protections against XSS attacks and protocol downgrade attacks.

Changes:

• Fixed unsafe null assertion in 304 response handling that could cause runtime errors
• Added Content-Security-Policy header to prevent XSS attacks and control resource loading
• Added Strict-Transport-Security (HSTS) header to enforce HTTPS connections

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
src/worker.ts	Fixed unsafe null assertion in handleAssetResponse call; added CSP and HSTS headers to security header configuration
.gitignore	Added worker-configuration.d.ts to ignored files (auto-generated TypeScript definitions)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.