Improve CSP and security headers (closes #74)
This commit is contained in:
parent
10289cde51
commit
5c2962d34d
|
@ -11,7 +11,7 @@ import (
|
|||
func HandleEmbed(c *fiber.Ctx) error {
|
||||
utils.SetHeaders(c)
|
||||
c.Set("Cache-Control", "public,max-age=31557600")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content")
|
||||
|
||||
post, err := api.Album{}, error(nil)
|
||||
switch {
|
||||
|
@ -40,7 +40,7 @@ func HandleEmbed(c *fiber.Ctx) error {
|
|||
func HandleGifv(c *fiber.Ctx) error {
|
||||
utils.SetHeaders(c)
|
||||
c.Set("Cache-Control", "public,max-age=31557600")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content")
|
||||
|
||||
return c.Render("gifv", fiber.Map{
|
||||
"id": c.Params("postID"),
|
||||
|
|
|
@ -11,7 +11,7 @@ func HandleFrontpage(c *fiber.Ctx) error {
|
|||
utils.SetHeaders(c)
|
||||
c.Set("X-Frame-Options", "DENY")
|
||||
c.Set("Cache-Control", "public,max-age=31557600")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; style-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||
|
||||
return c.Render("frontpage", fiber.Map{
|
||||
"proto": c.Protocol(),
|
||||
|
|
|
@ -45,7 +45,7 @@ func HandlePost(c *fiber.Ctx) error {
|
|||
}
|
||||
|
||||
nonce := ""
|
||||
csp := "default-src 'none'; media-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content; style-src 'self'"
|
||||
csp := "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content; style-src 'self'"
|
||||
if len(post.Tags) != 0 {
|
||||
b := make([]byte, 8)
|
||||
rand.Read(b)
|
||||
|
|
|
@ -12,7 +12,7 @@ func HandleTag(c *fiber.Ctx) error {
|
|||
utils.SetHeaders(c)
|
||||
c.Set("X-Frame-Options", "DENY")
|
||||
c.Set("Cache-Control", "public,max-age=604800")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline' 'self'; media-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; style-src 'unsafe-inline' 'self'; media-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||
|
||||
page := "1"
|
||||
if c.Query("page") != "" {
|
||||
|
|
|
@ -12,7 +12,7 @@ func HandleUser(c *fiber.Ctx) error {
|
|||
utils.SetHeaders(c)
|
||||
c.Set("X-Frame-Options", "DENY")
|
||||
c.Set("Cache-Control", "public,max-age=604800")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||
|
||||
page := "0"
|
||||
if c.Query("page") != "" {
|
||||
|
|
Loading…
Reference in New Issue