From f358d8f819c4177a9d716d7e33603e644a9a0c99 Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Thu, 2 Jan 2025 07:07:14 +0300
Subject: Set a minimal CSP

 - Styles and scripts can now only be loaded from Kittybox
   (hint: use the media endpoint if you wish to upload custom CSS)
 - Inline scripts are now completely prohibited
   (this means it's safe to show arbitrary HTML from Webmentions)
 - `<base>` element is prohibited (who uses that anyway?)
 - Loading anything else is only allowed via HTTPS

Change-Id: I285a18b71dd9860416b18dd0e88f8fe7c8511e0b
---
 src/lib.rs | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/lib.rs b/src/lib.rs
index e6bc24c..177dac4 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -308,4 +308,10 @@ St: Clone + Send + Sync + 'static
             axum::http::header::COOKIE,
             axum::http::header::SET_COOKIE,
         ]))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::appending(
+            axum::http::header::CONTENT_SECURITY_POLICY,
+            axum::http::HeaderValue::from_static(
+                "default-src 'https:'; script-src 'self'; style-src 'self'; script-src-attr 'none'; base-uri 'none'"
+            )
+        ))
 }
-- 
cgit 1.4.1