forked from midou/invidious
Add X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options
This commit is contained in:
parent
a749ac73ac
commit
96234e509f
@ -106,6 +106,9 @@ spawn do
|
||||
end
|
||||
|
||||
before_all do |env|
|
||||
env.response.headers["X-XSS-Protection"] = "1; mode=block;"
|
||||
env.response.headers["X-Content-Type-Options"] = "nosniff"
|
||||
|
||||
# CSRF
|
||||
if Kemal.config.ssl || CONFIG.https_only
|
||||
host = env.request.headers["Host"]?
|
||||
@ -2945,6 +2948,7 @@ public_folder "assets"
|
||||
|
||||
Kemal.config.powered_by_header = false
|
||||
add_handler FilteredCompressHandler.new
|
||||
add_handler DenyFrame.new
|
||||
add_context_storage_type(User)
|
||||
|
||||
Kemal.run
|
||||
|
@ -41,6 +41,17 @@ class FilteredCompressHandler < Kemal::Handler
|
||||
end
|
||||
end
|
||||
|
||||
class DenyFrame < Kemal::Handler
|
||||
exclude ["/embed/*"]
|
||||
|
||||
def call(env)
|
||||
return call_next env if exclude_match? env
|
||||
|
||||
env.response.headers["X-Frame-Options"] = "sameorigin"
|
||||
call_next env
|
||||
end
|
||||
end
|
||||
|
||||
def rank_videos(db, n, filter, url)
|
||||
top = [] of {Float64, String}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user