From da882b75ab347030caff38dc670da96a158727de Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 27 Jan 2021 19:51:36 +0100
Subject: mod_http_file_share: More security headers

---
 plugins/mod_http_file_share.lua | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 4daf38a9..c2aa4301 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -248,10 +248,12 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
 
 	response.headers.cache_control = "max-age=31556952, immutable";
 	response.headers.content_security_policy =  "default-src 'none'; frame-ancestors 'none';"
+	response.headers.strict_transport_security = "max-age=31556952";
+	response.headers.x_content_type_options = "nosniff";
+	response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+	response.headers.x_xss_protection = "1; mode=block";
 
 	return response:send_file(handle);
-	-- TODO
-	-- Set security headers
 end
 
 -- TODO periodic cleanup job
-- 
cgit v1.2.3