added Content-Security-Policy to security

2021-11-30 13:31:12 +01:00 · 2021-11-30 13:31:12 +01:00 · 8bebce4c6e
commit 8bebce4c6e
parent e18f3746b4
1 changed files with 7 additions and 1 deletions
--- a/server/src/uds/core/util/middleware/security.py
+++ b/server/src/uds/core/util/middleware/security.py
@ -68,4 +68,10 @@ class UDSSecurityMiddleware:
            )
            return HttpResponse(content='Forbbiden', status=403)

-        return self.get_response(request)
+        response = self.get_response(request)
+        # Legacy browser support for X-XSS-Protection
+        response.headers.setdefault('X-XSS-Protection', '1; mode=block')
+        # Add Content-Security-Policy, allowing same origin and inline scripts, images from any https source and data:
+        response.headers.setdefault('Content-Security-Policy', "default-src 'self' 'unsafe-inline'; img-src 'self' https: data:;")
+
+        return response