aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoris2022-09-04 11:32:37 +0200
committerJoris2022-09-04 11:32:37 +0200
commitbee4bee26ec998b61cd6d70c84bb4845c624bf38 (patch)
tree7c2de540faebbf780bc6491e0ff5eeaaffef356f
parent4428e8174445fcb36a83ee1cbb12b74632cd8b55 (diff)
Add strict security headers
-rw-r--r--src/routes.rs35
1 files changed, 34 insertions, 1 deletions
diff --git a/src/routes.rs b/src/routes.rs
index 7369f98..723e0ea 100644
--- a/src/routes.rs
+++ b/src/routes.rs
@@ -9,6 +9,7 @@ use url::form_urlencoded;
use crate::controller;
use crate::controller::utils::file;
+use crate::controller::utils::with_headers;
use crate::controller::wallet::Wallet;
use crate::db;
use crate::model::config::Config;
@@ -62,7 +63,39 @@ pub async fn routes(
},
};
- Ok(response)
+ Ok(with_security_headers(response))
+}
+
+// Apply security headers, see https://infosec.mozilla.org/guidelines/web_security
+fn with_security_headers(response: Response<Body>) -> Response<Body> {
+ with_headers(
+ response,
+ vec![
+ // Allows fine-grained control over where resources can be loaded from. This is the
+ // best method to prevent cross-site scripting (XSS) vulnerabilities.
+ (
+ hyper::header::CONTENT_SECURITY_POLICY,
+ "default-src 'self'; frame-ancestors 'none'",
+ ),
+ // Notifies user agents to only connect to a given site over HTTPS, even if the scheme
+ // chosen was HTTP.
+ (
+ hyper::header::STRICT_TRANSPORT_SECURITY,
+ "max-age=63072000; includeSubDomains; preload",
+ ),
+ // Allows fine-grained control over how and when browsers transmit the HTTP Referer
+ // header.
+ (hyper::header::REFERRER_POLICY, "same-origin"),
+ // Prevent loading scripts and stylesheets unless the server indicates the correct MIME
+ // type.
+ (hyper::header::X_CONTENT_TYPE_OPTIONS, "nosniff"),
+ // [Older browser] Controls how this site can be framed within an iframe.
+ (hyper::header::X_FRAME_OPTIONS, "DENY"),
+ // [Older browser] Stops pages from loading when they detect reflected cross-site
+ // scripting (XSS) attacks (IE and Chrome).
+ (hyper::header::X_XSS_PROTECTION, "1; mode=block"),
+ ],
+ )
}
async fn connected_user(