Added more security in HTTP headers

package.json

@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.4.0-l",
+  "version": "0.4.0-n",
   "keywords": [
     "Remote Management",
     "Intel AMT",

sample-config.json

@@ -102,7 +102,11 @@
         "meshcommander": "https://www.meshcommander.com/"
       },
       "_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
-      "_httpheaders": { "Strict-Transport-Security": "max-age=360000" },
+      "_httpheaders": {
+        "Strict-Transport-Security": "max-age=360000",
+        "x-frame-options": "SAMEORIGIN",
+        "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
+      },
       "_agentConfig": [ "webSocketMaskOverride=1" ],
       "_SessionRecording": {
         "_filepath": "C:\\temp",

views/default.handlebars

@@ -1084,7 +1084,7 @@
             //window.addEventListener("focus", ondocfocus, false);
             window.addEventListener("blur", ondocblur, false);
             window.onresize = function () { masterUpdate(512); }
-            setTimeout("masterUpdate(512)", 200);
+            setTimeout(function() { masterUpdate(512); }, 200);
 
             // Connect to the mesh server
             meshserver = MeshServerCreateControl(domainUrl, authCookie);
@@ -2197,7 +2197,7 @@
             putstore("_deviceView", Q('viewselect').value);
             putstore("_viewsize", Q('sizeselect').value);
             masterUpdate(4);
-            setTimeout("masterUpdate(512)", 200);
+            setTimeout(function () { masterUpdate(512); }, 200);
         }
 
         function ondockeypress(e) {

webserver.js

@@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             // If this domain has configured headers, use them.
             // Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
             //                  { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
-            if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
+            if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
+                res.set(domain.httpheaders);
+            } else {
+                // Use default security headers
+                res.set({
+                    "X-Frame-Options": "sameorigin",
+                    "Referrer-Policy": "no-referrer",
+                    "X-XSS-Protection": "1; mode=block",
+                    "X-Content-Type-Options": "nosniff",
+                    "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
+                });
+            }
 
             // Detect if this is a file sharing domain, if so, just share files.
             if ((domain != null) && (domain.share != null)) {