http: add random security headers
authorJo-Philipp Wich <jo@mein.io>
Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)
committerJo-Philipp Wich <jo@mein.io>
Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)
Fixes #1343.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
modules/luci-base/luasrc/http.lua

index 8795dfc4b27984059b1f697d0a9157795d49ea21..9cc9857867a430d00c67be669249685fa483daf2 100644 (file)
@@ -224,7 +224,15 @@ function write(content, src_err)
                                header("Cache-Control", "no-cache")
                                header("Expires", "0")
                        end
-
+                       if not context.headers["x-frame-options"] then
+                               header("X-Frame-Options", "SAMEORIGIN")
+                       end
+                       if not context.headers["x-xss-protection"] then
+                               header("X-XSS-Protection", "1; mode=block")
+                       end
+                       if not context.headers["x-content-type-options"] then
+                               header("X-Content-Type-Options", "nosniff")
+                       end
 
                        context.eoh = true
                        coroutine.yield(3)