Add recommended security headers from #618

author: Paulo Schneider <paulo.schneider@gmail.com> 2016-02-19 21:13:47 +0000
committer: Paulo Schneider <paulo.schneider@gmail.com> 2016-02-20 09:45:33 +0000
commit: 0b2461a655684c6d706d30a081350e59601eab33 (patch)
tree: f5b8598f5afbb0005486795c66577dbbd9f41718 /service/pixelated/config/site.py
parent: f1b338e5564a8458c906f903ee7e0383dae86287 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py
index 8806366a..6a29c478 100644
--- a/service/pixelated/config/site.py
+++ b/service/pixelated/config/site.py
@@ -2,12 +2,15 @@ from twisted.web.server import Site, Request
 
 
 class AddCSPHeaderRequest(Request):
-    HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'"
+    CSP_HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'"
 
     def process(self):
-        self.setHeader("Content-Security-Policy", self.HEADER_VALUES)
-        self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES)
-        self.setHeader("X-Webkit-CSP", self.HEADER_VALUES)
+        self.setHeader('Content-Security-Policy', self.CSP_HEADER_VALUES)
+        self.setHeader('X-Content-Security-Policy', self.CSP_HEADER_VALUES)
+        self.setHeader('X-Webkit-CSP', self.CSP_HEADER_VALUES)
+        self.setHeader('X-Frame-Options', 'SAMEORIGIN')
+        self.setHeader('X-XSS-Protection', '1; mode=block')
+        self.setHeader('X-Content-Type-Options', 'nosniff')
 
         if self.isSecure():
             self.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
author	Paulo Schneider <paulo.schneider@gmail.com>	2016-02-19 21:13:47 +0000
committer	Paulo Schneider <paulo.schneider@gmail.com>	2016-02-20 09:45:33 +0000
commit	0b2461a655684c6d706d30a081350e59601eab33 (patch)
tree	f5b8598f5afbb0005486795c66577dbbd9f41718 /service/pixelated/config/site.py
parent	f1b338e5564a8458c906f903ee7e0383dae86287 (diff)