add some security HTTP headers (#5814)

This change adds some security headers like Content-Security-Policy. It does not set the HSTS header because Content-Security-Policy prevents mixed HTTP and HTTPS content and the server does not use cookies. However it is a header which could be added later on. It also moves some header added by #5805 from a vendored file to a generic handler. Fixes ##5813
2025-12-08 16:53:11 -05:00 · 2018-04-13 00:57:41 +02:00
parent 1f07545e2a
commit f60765ac93
3 changed files with 19 additions and 5 deletions
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@@ -625,3 +625,19 @@ func (l rateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	l.handler.ServeHTTP(w, r)
 }
+
+type securityHeaderHandler struct {
+	handler http.Handler
+}
+
+func addSecurityHeaders(h http.Handler) http.Handler {
+	return securityHeaderHandler{handler: h}
+}
+
+func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	header := w.Header()
+	header.Set("X-XSS-Protection", "\"1; mode=block\"")              // Prevents against XSS attacks
+	header.Set("X-Frame-Options", "SAMEORIGIN")                      // Prevents against Clickjacking
+	header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
+	s.handler.ServeHTTP(w, r)
+}