diff options
| author | Kim Alvefur <zash@zash.se> | 2021-01-27 19:51:36 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2021-01-27 19:51:36 +0100 |
| commit | af9f7de3789f0b98e5322a66bcc8509561cc3d0e (patch) | |
| tree | 10a591ce1460bb4a611e51a90c084894f546077e | |
| parent | 2cb87c6ffa199726e8f7cd4b35b00cb72491465d (diff) | |
| download | prosody-af9f7de3789f0b98e5322a66bcc8509561cc3d0e.tar.gz prosody-af9f7de3789f0b98e5322a66bcc8509561cc3d0e.zip | |
mod_http_file_share: More security headers
| -rw-r--r-- | plugins/mod_http_file_share.lua | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua index 4daf38a9..c2aa4301 100644 --- a/plugins/mod_http_file_share.lua +++ b/plugins/mod_http_file_share.lua @@ -248,10 +248,12 @@ function handle_download(event, path) -- GET /uploads/:slot+filename response.headers.cache_control = "max-age=31556952, immutable"; response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';" + response.headers.strict_transport_security = "max-age=31556952"; + response.headers.x_content_type_options = "nosniff"; + response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP? + response.headers.x_xss_protection = "1; mode=block"; return response:send_file(handle); - -- TODO - -- Set security headers end -- TODO periodic cleanup job |