Skip to content
Permalink
Browse files

Add X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options

  • Loading branch information...
omarroth committed Sep 6, 2018
1 parent a749ac7 commit 96234e509f57a30cac5529725ecc8f550e24941f
Showing with 15 additions and 0 deletions.
  1. +4 −0 src/invidious.cr
  2. +11 −0 src/invidious/helpers/helpers.cr
@@ -106,6 +106,9 @@ spawn do
end

before_all do |env|
env.response.headers["X-XSS-Protection"] = "1; mode=block;"
env.response.headers["X-Content-Type-Options"] = "nosniff"

# CSRF
if Kemal.config.ssl || CONFIG.https_only
host = env.request.headers["Host"]?
@@ -2945,6 +2948,7 @@ public_folder "assets"

Kemal.config.powered_by_header = false
add_handler FilteredCompressHandler.new
add_handler DenyFrame.new
add_context_storage_type(User)

Kemal.run
@@ -41,6 +41,17 @@ class FilteredCompressHandler < Kemal::Handler
end
end

class DenyFrame < Kemal::Handler
exclude ["/embed/*"]

def call(env)
return call_next env if exclude_match? env

env.response.headers["X-Frame-Options"] = "sameorigin"
call_next env
end
end

def rank_videos(db, n, filter, url)
top = [] of {Float64, String}

0 comments on commit 96234e5

Please sign in to comment.
You can’t perform that action at this time.