http: add random security headers

author Jo-Philipp Wich <jo@mein.io>

Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)

committer Jo-Philipp Wich <jo@mein.io>

Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)
author Jo-Philipp Wich <jo@mein.io>
Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)
committer Jo-Philipp Wich <jo@mein.io>
Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)
diff --git a/modules/luci-base/luasrc/http.lua b/modules/luci-base/luasrc/http.lua

index 8795dfc4b27984059b1f697d0a9157795d49ea21..9cc9857867a430d00c67be669249685fa483daf2 100644 (file)
--- a/modules/luci-base/luasrc/http.lua
+++ b/modules/luci-base/luasrc/http.lua
@@ -224,7 +224,15 @@ function write(content, src_err)
                                 header("Cache-Control", "no-cache")
                                 header("Expires", "0")
                         end
-
+                       if not context.headers["x-frame-options"] then
+                               header("X-Frame-Options", "SAMEORIGIN")
+                       end
+                       if not context.headers["x-xss-protection"] then
+                               header("X-XSS-Protection", "1; mode=block")
+                       end
+                       if not context.headers["x-content-type-options"] then
+                               header("X-Content-Type-Options", "nosniff")
+                       end
  
                         context.eoh = true
                         coroutine.yield(3)
author	Jo-Philipp Wich <jo@mein.io>
	Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)
committer	Jo-Philipp Wich <jo@mein.io>
	Sat, 2 Sep 2017 15:45:37 +0000 (17:45 +0200)