Security headers

2022-01-17 19:31:11 -05:00 · 2022-01-17 19:31:11 -05:00 · 1d050e2d45
parent 7849164d7e
commit 1d050e2d45
2 changed files with 11 additions and 2 deletions
--- a/pages/album.go
+++ b/pages/album.go
@ -6,6 +6,15 @@ import (
 )

 func HandleAlbum(c *fiber.Ctx) error {
+	c.Set("Cache-Control", "public,max-age=604800")
+	c.Set("X-Frame-Options", "DENY")
+	c.Set("Referrer-Policy", "no-referrer")
+	c.Set("X-Content-Type-Options", "nosniff")
+	c.Set("X-Robots-Tag", "noindex, noimageindex, nofollow")
+	c.Set("Strict-Transport-Security", "max-age=31557600")
+	c.Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()")
+	c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; script-src 'none'; img-src 'self'; font-src 'self'; block-all-mixed-content; manifest-src 'self'")
+
 	// https://imgur.com/a/DfEsrAB

 	album, err := api.FetchAlbum(c.Params("albumID"))
--- a/pages/frontpage.go
+++ b/pages/frontpage.go
@ -9,8 +9,8 @@ func FrontpageHandler(c *fiber.Ctx) error {
 	c.Set("X-Content-Type-Options", "nosniff")
 	c.Set("X-Robots-Tag", "noindex, noimageindex, nofollow")
 	c.Set("Strict-Transport-Security", "max-age=31557600")
-	c.Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()")
-	c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self'; font-src 'self'; form-action 'self'; block-all-mixed-content; manifest-src 'self'")
+	c.Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()")
+	c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; script-src 'none'; img-src 'self'; font-src 'self'; block-all-mixed-content; manifest-src 'self'")

 	return c.Render("frontpage", fiber.Map{})
 }