Changeset

11327:6f2b69469060

mod_http_file_share: More security headers
author Kim Alvefur <zash@zash.se>
date Wed, 27 Jan 2021 19:51:36 +0100
parents 11326:1ecda954fe97
children 11328:ceaa3cebf28b
files plugins/mod_http_file_share.lua
diffstat 1 files changed, 4 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/plugins/mod_http_file_share.lua	Wed Jan 27 18:26:24 2021 +0100
+++ b/plugins/mod_http_file_share.lua	Wed Jan 27 19:51:36 2021 +0100
@@ -248,10 +248,12 @@
 
 	response.headers.cache_control = "max-age=31556952, immutable";
 	response.headers.content_security_policy =  "default-src 'none'; frame-ancestors 'none';"
+	response.headers.strict_transport_security = "max-age=31556952";
+	response.headers.x_content_type_options = "nosniff";
+	response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+	response.headers.x_xss_protection = "1; mode=block";
 
 	return response:send_file(handle);
-	-- TODO
-	-- Set security headers
 end
 
 -- TODO periodic cleanup job