diff options
| author | Vika <vika@fireburn.ru> | 2025-01-02 07:07:14 +0300 |
|---|---|---|
| committer | Vika <vika@fireburn.ru> | 2025-01-02 07:07:14 +0300 |
| commit | f358d8f819c4177a9d716d7e33603e644a9a0c99 (patch) | |
| tree | 96e6cd24af29d007c531bc1d7c29135bfcd13533 /src/lib.rs | |
| parent | 78f8de236b7ab9755f0212a740d341a2518968da (diff) | |
| download | kittybox-f358d8f819c4177a9d716d7e33603e644a9a0c99.tar.zst | |
Set a minimal CSP
- Styles and scripts can now only be loaded from Kittybox (hint: use the media endpoint if you wish to upload custom CSS) - Inline scripts are now completely prohibited (this means it's safe to show arbitrary HTML from Webmentions) - `<base>` element is prohibited (who uses that anyway?) - Loading anything else is only allowed via HTTPS Change-Id: I285a18b71dd9860416b18dd0e88f8fe7c8511e0b
Diffstat (limited to 'src/lib.rs')
| -rw-r--r-- | src/lib.rs | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib.rs b/src/lib.rs index e6bc24c..177dac4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -308,4 +308,10 @@ St: Clone + Send + Sync + 'static axum::http::header::COOKIE, axum::http::header::SET_COOKIE, ])) + .layer(tower_http::set_header::SetResponseHeaderLayer::appending( + axum::http::header::CONTENT_SECURITY_POLICY, + axum::http::HeaderValue::from_static( + "default-src 'https:'; script-src 'self'; style-src 'self'; script-src-attr 'none'; base-uri 'none'" + ) + )) } |