aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2021-01-27 19:51:36 +0100
committerKim Alvefur <zash@zash.se>2021-01-27 19:51:36 +0100
commitda882b75ab347030caff38dc670da96a158727de (patch)
tree10a591ce1460bb4a611e51a90c084894f546077e
parent6ce4972bf4b2cf8923af7d236558071083cbb17a (diff)
downloadprosody-da882b75ab347030caff38dc670da96a158727de.tar.gz
prosody-da882b75ab347030caff38dc670da96a158727de.zip
mod_http_file_share: More security headers
-rw-r--r--plugins/mod_http_file_share.lua6
1 files changed, 4 insertions, 2 deletions
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 4daf38a9..c2aa4301 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -248,10 +248,12 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
response.headers.cache_control = "max-age=31556952, immutable";
response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';"
+ response.headers.strict_transport_security = "max-age=31556952";
+ response.headers.x_content_type_options = "nosniff";
+ response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+ response.headers.x_xss_protection = "1; mode=block";
return response:send_file(handle);
- -- TODO
- -- Set security headers
end
-- TODO periodic cleanup job