Infra-Mirrors/ots
1
0
Fork 0
mirror of https://github.com/Luzifer/ots.git synced 2025-04-19 06:55:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add security HTTP headers

Browse Source 
Sadly, the Vue web interface needs unsafe-inline for both stylesheets
and scripts, making the CSP header a bit useless.
This commit is contained in:
Vic Demuzere 2021-09-24 16:59:06 +02:00
parent 9ad6d468fd
commit 652eea694e
No known key found for this signature in database
GPG Key ID: 5B9EA1616690CF94
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
main.go
View File

@ -86,9 +86,20 @@ func assetDelivery(w http.ResponseWriter, r *http.Request) {
}
w.Header().Set("Content-Type", mime.TypeByExtension(ext))
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Write(assetData)
}
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
var cspHeader = strings.Join([]string{
"default-src 'none'",
"connect-src 'self'",
"font-src 'self'",
"img-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
}, ";")
func handleIndex(w http.ResponseWriter, r *http.Request) {
indexTpl, err := assets.ReadFile("frontend/index.html")
if err != nil {
@ -102,6 +113,12 @@ func handleIndex(w http.ResponseWriter, r *http.Request) {
return
}
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-Xss-Protection", "1; mode=block")
w.Header().Set("Content-Security-Policy", cspHeader)
w.Header().Set("X-Content-Type-Options", "nosniff")
if err = tpl.Execute(w, struct {
Vars map[string]string
}{