From 1d050e2d450713df9a1ae1aa4905e50bf1d2349e Mon Sep 17 00:00:00 2001 From: video-prize-ranch Date: Mon, 17 Jan 2022 19:31:11 -0500 Subject: [PATCH] Security headers --- pages/album.go | 9 +++++++++ pages/frontpage.go | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pages/album.go b/pages/album.go index f00f7f5..9b21b9c 100644 --- a/pages/album.go +++ b/pages/album.go @@ -6,6 +6,15 @@ import ( ) func HandleAlbum(c *fiber.Ctx) error { + c.Set("Cache-Control", "public,max-age=604800") + c.Set("X-Frame-Options", "DENY") + c.Set("Referrer-Policy", "no-referrer") + c.Set("X-Content-Type-Options", "nosniff") + c.Set("X-Robots-Tag", "noindex, noimageindex, nofollow") + c.Set("Strict-Transport-Security", "max-age=31557600") + c.Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()") + c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; script-src 'none'; img-src 'self'; font-src 'self'; block-all-mixed-content; manifest-src 'self'") + // https://imgur.com/a/DfEsrAB album, err := api.FetchAlbum(c.Params("albumID")) diff --git a/pages/frontpage.go b/pages/frontpage.go index 375d7af..0b14894 100644 --- a/pages/frontpage.go +++ b/pages/frontpage.go @@ -9,8 +9,8 @@ func FrontpageHandler(c *fiber.Ctx) error { c.Set("X-Content-Type-Options", "nosniff") c.Set("X-Robots-Tag", "noindex, noimageindex, nofollow") c.Set("Strict-Transport-Security", "max-age=31557600") - c.Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()") - c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self'; font-src 'self'; form-action 'self'; block-all-mixed-content; manifest-src 'self'") + c.Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()") + c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; script-src 'none'; img-src 'self'; font-src 'self'; block-all-mixed-content; manifest-src 'self'") return c.Render("frontpage", fiber.Map{}) } \ No newline at end of file