Harden the CSP a bit for values that don't inherit default-src. Set Permissions-Policy. Remove TODO
parent
05f840ecc8
commit
db8f0cb141
|
@ -132,11 +132,12 @@ class CustomMiddleware:
|
||||||
] = "no-referrer, strict-origin-when-cross-origin"
|
] = "no-referrer, strict-origin-when-cross-origin"
|
||||||
headers["x-content-type-options"] = "nosniff"
|
headers["x-content-type-options"] = "nosniff"
|
||||||
headers["x-xss-protection"] = "1; mode=block"
|
headers["x-xss-protection"] = "1; mode=block"
|
||||||
headers["x-frame-options"] = "SAMEORIGIN"
|
headers["x-frame-options"] = "DENY"
|
||||||
# TODO(ts): disallow inline CSS?
|
headers["permissions-policy"] = "interest-cohort=()"
|
||||||
headers["content-security-policy"] = (
|
headers["content-security-policy"] = (
|
||||||
f"default-src 'self'; "
|
f"default-src 'self'; "
|
||||||
f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
|
f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
|
||||||
|
f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
|
||||||
)
|
)
|
||||||
if not DEBUG:
|
if not DEBUG:
|
||||||
headers["strict-transport-security"] = "max-age=63072000;"
|
headers["strict-transport-security"] = "max-age=63072000;"
|
||||||
|
|
Loading…
Reference in New Issue