Remove security headers

This can be taken care of directly in nginx.
author: Joris 2022-09-04 16:33:02 +0200
committer: Joris 2022-09-04 16:33:02 +0200
commit: c2e4f36b84137854c35e2c455924b936b090a284 (patch)
tree: 42d84865a120d4a3c80d8646399942f530dd95d1 /src
parent: bee4bee26ec998b61cd6d70c84bb4845c624bf38 (diff)
1 files changed, 1 insertions, 34 deletions
diff --git a/src/routes.rs b/src/routes.rs
index 723e0ea..7369f98 100644
--- a/src/routes.rs
+++ b/src/routes.rs
@@ -9,7 +9,6 @@ use url::form_urlencoded;
 
 use crate::controller;
 use crate::controller::utils::file;
-use crate::controller::utils::with_headers;
 use crate::controller::wallet::Wallet;
 use crate::db;
 use crate::model::config::Config;
@@ -63,39 +62,7 @@ pub async fn routes(
         },
     };
 
-    Ok(with_security_headers(response))
-}
-
-// Apply security headers, see https://infosec.mozilla.org/guidelines/web_security
-fn with_security_headers(response: Response<Body>) -> Response<Body> {
-    with_headers(
-        response,
-        vec![
-            // Allows fine-grained control over where resources can be loaded from. This is the
-            // best method to prevent cross-site scripting (XSS) vulnerabilities.
-            (
-                hyper::header::CONTENT_SECURITY_POLICY,
-                "default-src 'self'; frame-ancestors 'none'",
-            ),
-            // Notifies user agents to only connect to a given site over HTTPS, even if the scheme
-            // chosen was HTTP.
-            (
-                hyper::header::STRICT_TRANSPORT_SECURITY,
-                "max-age=63072000; includeSubDomains; preload",
-            ),
-            // Allows fine-grained control over how and when browsers transmit the HTTP Referer
-            // header.
-            (hyper::header::REFERRER_POLICY, "same-origin"),
-            // Prevent loading scripts and stylesheets unless the server indicates the correct MIME
-            // type.
-            (hyper::header::X_CONTENT_TYPE_OPTIONS, "nosniff"),
-            // [Older browser] Controls how this site can be framed within an iframe.
-            (hyper::header::X_FRAME_OPTIONS, "DENY"),
-            // [Older browser] Stops pages from loading when they detect reflected cross-site
-            // scripting (XSS) attacks (IE and Chrome).
-            (hyper::header::X_XSS_PROTECTION, "1; mode=block"),
-        ],
-    )
+    Ok(response)
 }
 
 async fn connected_user(
author	Joris	2022-09-04 16:33:02 +0200
committer	Joris	2022-09-04 16:33:02 +0200
commit	c2e4f36b84137854c35e2c455924b936b090a284 (patch)
tree	42d84865a120d4a3c80d8646399942f530dd95d1 /src
parent	bee4bee26ec998b61cd6d70c84bb4845c624bf38 (diff)