diff options
| author | Joris | 2022-09-04 11:32:37 +0200 |
|---|---|---|
| committer | Joris | 2022-09-04 11:32:37 +0200 |
| commit | bee4bee26ec998b61cd6d70c84bb4845c624bf38 (patch) | |
| tree | 7c2de540faebbf780bc6491e0ff5eeaaffef356f /src | |
| parent | 4428e8174445fcb36a83ee1cbb12b74632cd8b55 (diff) | |
Add strict security headers
Diffstat (limited to 'src')
| -rw-r--r-- | src/routes.rs | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/src/routes.rs b/src/routes.rs index 7369f98..723e0ea 100644 --- a/src/routes.rs +++ b/src/routes.rs @@ -9,6 +9,7 @@ use url::form_urlencoded; use crate::controller; use crate::controller::utils::file; +use crate::controller::utils::with_headers; use crate::controller::wallet::Wallet; use crate::db; use crate::model::config::Config; @@ -62,7 +63,39 @@ pub async fn routes( }, }; - Ok(response) + Ok(with_security_headers(response)) +} + +// Apply security headers, see https://infosec.mozilla.org/guidelines/web_security +fn with_security_headers(response: Response<Body>) -> Response<Body> { + with_headers( + response, + vec![ + // Allows fine-grained control over where resources can be loaded from. This is the + // best method to prevent cross-site scripting (XSS) vulnerabilities. + ( + hyper::header::CONTENT_SECURITY_POLICY, + "default-src 'self'; frame-ancestors 'none'", + ), + // Notifies user agents to only connect to a given site over HTTPS, even if the scheme + // chosen was HTTP. + ( + hyper::header::STRICT_TRANSPORT_SECURITY, + "max-age=63072000; includeSubDomains; preload", + ), + // Allows fine-grained control over how and when browsers transmit the HTTP Referer + // header. + (hyper::header::REFERRER_POLICY, "same-origin"), + // Prevent loading scripts and stylesheets unless the server indicates the correct MIME + // type. + (hyper::header::X_CONTENT_TYPE_OPTIONS, "nosniff"), + // [Older browser] Controls how this site can be framed within an iframe. + (hyper::header::X_FRAME_OPTIONS, "DENY"), + // [Older browser] Stops pages from loading when they detect reflected cross-site + // scripting (XSS) attacks (IE and Chrome). + (hyper::header::X_XSS_PROTECTION, "1; mode=block"), + ], + ) } async fn connected_user( |