Browse Source

[WebUI]: add X-XSS-Protection, X-Content-Type-Options, CSP header

adaptive-webui-19844
Chocobo1 8 years ago committed by sledgehammer999
parent
commit
7756dd80f3
No known key found for this signature in database
GPG Key ID: 6E4A2D025B7CC9A2
  1. 3
      src/base/http/types.h
  2. 3
      src/webui/abstractwebapplication.cpp

3
src/base/http/types.h

@ -44,6 +44,9 @@ namespace Http
const QString HEADER_CONTENT_LENGTH = "Content-Length"; const QString HEADER_CONTENT_LENGTH = "Content-Length";
const QString HEADER_CACHE_CONTROL = "Cache-Control"; const QString HEADER_CACHE_CONTROL = "Cache-Control";
const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options"; const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";
const QString HEADER_X_XSS_PROTECTION = "X-XSS-Protection";
const QString HEADER_X_CONTENT_TYPE_OPTIONS = "X-Content-Type-Options";
const QString HEADER_CONTENT_SECURITY_POLICY = "Content-Security-Policy";
const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8"; const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
const QString CONTENT_TYPE_GIF = "image/gif"; const QString CONTENT_TYPE_GIF = "image/gif";

3
src/webui/abstractwebapplication.cpp

@ -108,6 +108,9 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
// avoid clickjacking attacks // avoid clickjacking attacks
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self' 'unsafe-inline' 'unsafe-eval';");
sessionInitialize(); sessionInitialize();
if (!sessionActive() && !isAuthNeeded()) if (!sessionActive() && !isAuthNeeded())

Loading…
Cancel
Save