From f358d8f819c4177a9d716d7e33603e644a9a0c99 Mon Sep 17 00:00:00 2001 From: Vika Date: Thu, 2 Jan 2025 07:07:14 +0300 Subject: Set a minimal CSP - Styles and scripts can now only be loaded from Kittybox (hint: use the media endpoint if you wish to upload custom CSS) - Inline scripts are now completely prohibited (this means it's safe to show arbitrary HTML from Webmentions) - `` element is prohibited (who uses that anyway?) - Loading anything else is only allowed via HTTPS Change-Id: I285a18b71dd9860416b18dd0e88f8fe7c8511e0b --- Cargo.toml | 3 +-- src/lib.rs | 6 ++++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 20d0f89..bf14ded 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -87,7 +87,6 @@ tokio = "1.42.0" tokio-stream = "0.1.17" tokio-util = "0.7.13" tower = "0.5.2" -tower-http = "0.6.2" tower-layer = "0.3.3" tower-service = "0.3.3" tower-test = "0.4.0" @@ -160,7 +159,7 @@ tokio = { workspace = true, features = ["full", "tracing"] } tokio-stream = { workspace = true, features = ["time", "net"] } tokio-util = { workspace = true, features = ["io-util"] } tower = { workspace = true, features = ["tracing"] } -tower-http = { workspace = true, features = ["trace", "cors", "catch-panic", "sensitive-headers"] } +tower-http = { version = "0.6.2", features = ["trace", "cors", "catch-panic", "sensitive-headers", "set-header"] } tracing = { workspace = true, features = [] } tracing-log = { workspace = true } tracing-subscriber = { workspace = true, features = ["env-filter", "json"] } diff --git a/src/lib.rs b/src/lib.rs index e6bc24c..177dac4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -308,4 +308,10 @@ St: Clone + Send + Sync + 'static axum::http::header::COOKIE, axum::http::header::SET_COOKIE, ])) + .layer(tower_http::set_header::SetResponseHeaderLayer::appending( + axum::http::header::CONTENT_SECURITY_POLICY, + axum::http::HeaderValue::from_static( + "default-src 'https:'; script-src 'self'; style-src 'self'; script-src-attr 'none'; base-uri 'none'" + ) + )) } -- cgit 1.4.1