Add X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options

This commit is contained in:
Omar Roth 2018-09-05 21:06:30 -05:00
parent a749ac73ac
commit 96234e509f
2 changed files with 15 additions and 0 deletions

View file

@ -106,6 +106,9 @@ spawn do
end end
before_all do |env| before_all do |env|
env.response.headers["X-XSS-Protection"] = "1; mode=block;"
env.response.headers["X-Content-Type-Options"] = "nosniff"
# CSRF # CSRF
if Kemal.config.ssl || CONFIG.https_only if Kemal.config.ssl || CONFIG.https_only
host = env.request.headers["Host"]? host = env.request.headers["Host"]?
@ -2945,6 +2948,7 @@ public_folder "assets"
Kemal.config.powered_by_header = false Kemal.config.powered_by_header = false
add_handler FilteredCompressHandler.new add_handler FilteredCompressHandler.new
add_handler DenyFrame.new
add_context_storage_type(User) add_context_storage_type(User)
Kemal.run Kemal.run

View file

@ -41,6 +41,17 @@ class FilteredCompressHandler < Kemal::Handler
end end
end end
class DenyFrame < Kemal::Handler
exclude ["/embed/*"]
def call(env)
return call_next env if exclude_match? env
env.response.headers["X-Frame-Options"] = "sameorigin"
call_next env
end
end
def rank_videos(db, n, filter, url) def rank_videos(db, n, filter, url)
top = [] of {Float64, String} top = [] of {Float64, String}