Add X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options

iv-org · Sep 6, 2018 · 96234e5 · 96234e5
1 parent a749ac7
commit 96234e5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/invidious.cr b/src/invidious.cr
@@ -106,6 +106,9 @@ spawn do
 end
 
 before_all do |env|
+  env.response.headers["X-XSS-Protection"] = "1; mode=block;"
+  env.response.headers["X-Content-Type-Options"] = "nosniff"
+
   # CSRF
   if Kemal.config.ssl || CONFIG.https_only
     host = env.request.headers["Host"]?
@@ -2945,6 +2948,7 @@ public_folder "assets"
 
 Kemal.config.powered_by_header = false
 add_handler FilteredCompressHandler.new
+add_handler DenyFrame.new
 add_context_storage_type(User)
 
 Kemal.run
diff --git a/src/invidious/helpers/helpers.cr b/src/invidious/helpers/helpers.cr
@@ -41,6 +41,17 @@ class FilteredCompressHandler < Kemal::Handler
   end
 end
 
+class DenyFrame < Kemal::Handler
+  exclude ["/embed/*"]
+
+  def call(env)
+    return call_next env if exclude_match? env
+
+    env.response.headers["X-Frame-Options"] = "sameorigin"
+    call_next env
+  end
+end
+
 def rank_videos(db, n, filter, url)
   top = [] of {Float64, String}