diff options
author | Kim Alvefur <zash@zash.se> | 2021-01-27 19:51:36 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2021-01-27 19:51:36 +0100 |
commit | da882b75ab347030caff38dc670da96a158727de (patch) | |
tree | 10a591ce1460bb4a611e51a90c084894f546077e | |
parent | 6ce4972bf4b2cf8923af7d236558071083cbb17a (diff) | |
download | prosody-da882b75ab347030caff38dc670da96a158727de.tar.gz prosody-da882b75ab347030caff38dc670da96a158727de.zip |
mod_http_file_share: More security headers
-rw-r--r-- | plugins/mod_http_file_share.lua | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua index 4daf38a9..c2aa4301 100644 --- a/plugins/mod_http_file_share.lua +++ b/plugins/mod_http_file_share.lua @@ -248,10 +248,12 @@ function handle_download(event, path) -- GET /uploads/:slot+filename response.headers.cache_control = "max-age=31556952, immutable"; response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';" + response.headers.strict_transport_security = "max-age=31556952"; + response.headers.x_content_type_options = "nosniff"; + response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP? + response.headers.x_xss_protection = "1; mode=block"; return response:send_file(handle); - -- TODO - -- Set security headers end -- TODO periodic cleanup job |