# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1611773496 -3600
# Node ID 6f2b69469060f6a129d787cbd7740f45259afcbe
# Parent  1ecda954fe97d4114a1ad57d42576370b4bc8f64
mod_http_file_share: More security headers

diff -r 1ecda954fe97 -r 6f2b69469060 plugins/mod_http_file_share.lua
--- a/plugins/mod_http_file_share.lua	Wed Jan 27 18:26:24 2021 +0100
+++ b/plugins/mod_http_file_share.lua	Wed Jan 27 19:51:36 2021 +0100
@@ -248,10 +248,12 @@
 
 	response.headers.cache_control = "max-age=31556952, immutable";
 	response.headers.content_security_policy =  "default-src 'none'; frame-ancestors 'none';"
+	response.headers.strict_transport_security = "max-age=31556952";
+	response.headers.x_content_type_options = "nosniff";
+	response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+	response.headers.x_xss_protection = "1; mode=block";
 
 	return response:send_file(handle);
-	-- TODO
-	-- Set security headers
 end
 
 -- TODO periodic cleanup job