Improve CSP and security headers (closes #74)
This commit is contained in:
parent
10289cde51
commit
5c2962d34d
|
@ -11,7 +11,7 @@ import (
|
||||||
func HandleEmbed(c *fiber.Ctx) error {
|
func HandleEmbed(c *fiber.Ctx) error {
|
||||||
utils.SetHeaders(c)
|
utils.SetHeaders(c)
|
||||||
c.Set("Cache-Control", "public,max-age=31557600")
|
c.Set("Cache-Control", "public,max-age=31557600")
|
||||||
c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
|
c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content")
|
||||||
|
|
||||||
post, err := api.Album{}, error(nil)
|
post, err := api.Album{}, error(nil)
|
||||||
switch {
|
switch {
|
||||||
|
@ -40,7 +40,7 @@ func HandleEmbed(c *fiber.Ctx) error {
|
||||||
func HandleGifv(c *fiber.Ctx) error {
|
func HandleGifv(c *fiber.Ctx) error {
|
||||||
utils.SetHeaders(c)
|
utils.SetHeaders(c)
|
||||||
c.Set("Cache-Control", "public,max-age=31557600")
|
c.Set("Cache-Control", "public,max-age=31557600")
|
||||||
c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
|
c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content")
|
||||||
|
|
||||||
return c.Render("gifv", fiber.Map{
|
return c.Render("gifv", fiber.Map{
|
||||||
"id": c.Params("postID"),
|
"id": c.Params("postID"),
|
||||||
|
|
|
@ -11,7 +11,7 @@ func HandleFrontpage(c *fiber.Ctx) error {
|
||||||
utils.SetHeaders(c)
|
utils.SetHeaders(c)
|
||||||
c.Set("X-Frame-Options", "DENY")
|
c.Set("X-Frame-Options", "DENY")
|
||||||
c.Set("Cache-Control", "public,max-age=31557600")
|
c.Set("Cache-Control", "public,max-age=31557600")
|
||||||
c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; style-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||||
|
|
||||||
return c.Render("frontpage", fiber.Map{
|
return c.Render("frontpage", fiber.Map{
|
||||||
"proto": c.Protocol(),
|
"proto": c.Protocol(),
|
||||||
|
|
|
@ -45,7 +45,7 @@ func HandlePost(c *fiber.Ctx) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
nonce := ""
|
nonce := ""
|
||||||
csp := "default-src 'none'; media-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content; style-src 'self'"
|
csp := "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content; style-src 'self'"
|
||||||
if len(post.Tags) != 0 {
|
if len(post.Tags) != 0 {
|
||||||
b := make([]byte, 8)
|
b := make([]byte, 8)
|
||||||
rand.Read(b)
|
rand.Read(b)
|
||||||
|
|
|
@ -12,7 +12,7 @@ func HandleTag(c *fiber.Ctx) error {
|
||||||
utils.SetHeaders(c)
|
utils.SetHeaders(c)
|
||||||
c.Set("X-Frame-Options", "DENY")
|
c.Set("X-Frame-Options", "DENY")
|
||||||
c.Set("Cache-Control", "public,max-age=604800")
|
c.Set("Cache-Control", "public,max-age=604800")
|
||||||
c.Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline' 'self'; media-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; style-src 'unsafe-inline' 'self'; media-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||||
|
|
||||||
page := "1"
|
page := "1"
|
||||||
if c.Query("page") != "" {
|
if c.Query("page") != "" {
|
||||||
|
|
|
@ -12,7 +12,7 @@ func HandleUser(c *fiber.Ctx) error {
|
||||||
utils.SetHeaders(c)
|
utils.SetHeaders(c)
|
||||||
c.Set("X-Frame-Options", "DENY")
|
c.Set("X-Frame-Options", "DENY")
|
||||||
c.Set("Cache-Control", "public,max-age=604800")
|
c.Set("Cache-Control", "public,max-age=604800")
|
||||||
c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content")
|
||||||
|
|
||||||
page := "0"
|
page := "0"
|
||||||
if c.Query("page") != "" {
|
if c.Query("page") != "" {
|
||||||
|
|
Loading…
Reference in New Issue