diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/routes.rs | 35 |
1 files changed, 1 insertions, 34 deletions
diff --git a/src/routes.rs b/src/routes.rs index 723e0ea..7369f98 100644 --- a/src/routes.rs +++ b/src/routes.rs @@ -9,7 +9,6 @@ use url::form_urlencoded; use crate::controller; use crate::controller::utils::file; -use crate::controller::utils::with_headers; use crate::controller::wallet::Wallet; use crate::db; use crate::model::config::Config; @@ -63,39 +62,7 @@ pub async fn routes( }, }; - Ok(with_security_headers(response)) -} - -// Apply security headers, see https://infosec.mozilla.org/guidelines/web_security -fn with_security_headers(response: Response<Body>) -> Response<Body> { - with_headers( - response, - vec![ - // Allows fine-grained control over where resources can be loaded from. This is the - // best method to prevent cross-site scripting (XSS) vulnerabilities. - ( - hyper::header::CONTENT_SECURITY_POLICY, - "default-src 'self'; frame-ancestors 'none'", - ), - // Notifies user agents to only connect to a given site over HTTPS, even if the scheme - // chosen was HTTP. - ( - hyper::header::STRICT_TRANSPORT_SECURITY, - "max-age=63072000; includeSubDomains; preload", - ), - // Allows fine-grained control over how and when browsers transmit the HTTP Referer - // header. - (hyper::header::REFERRER_POLICY, "same-origin"), - // Prevent loading scripts and stylesheets unless the server indicates the correct MIME - // type. - (hyper::header::X_CONTENT_TYPE_OPTIONS, "nosniff"), - // [Older browser] Controls how this site can be framed within an iframe. - (hyper::header::X_FRAME_OPTIONS, "DENY"), - // [Older browser] Stops pages from loading when they detect reflected cross-site - // scripting (XSS) attacks (IE and Chrome). - (hyper::header::X_XSS_PROTECTION, "1; mode=block"), - ], - ) + Ok(response) } async fn connected_user( |