re-add security-related headers from ruqqus

2021-08-13 22:58:07 +02:00 · 2021-08-13 22:58:07 +02:00 · 1dbf563ea8
commit 1dbf563ea8
parent 69f68f43e9
1 changed files with 10 additions and 5 deletions
--- a/files/main.py
+++ b/files/main.py
@ -215,10 +215,12 @@ def before_request():
 	g.timestamp = int(time.time())

 	#do not access session for static files
-	if request.path.startswith("/assets"): return
-
+	if not request.path.startswith("/assets"):
 		session.permanent = True

+		if not session.get("session_id"):
+			session["session_id"] = secrets.token_hex(16)
+
 	ua_banned, response_tuple = get_useragent_ban_response(
 		request.headers.get("User-Agent", "NoAgent"))
 	if ua_banned and request.path != "/robots.txt":
@ -229,9 +231,6 @@ def before_request():
 		url = request.url.replace("http://", "https://", 1)
 		return redirect(url, code=301)

-	if not session.get("session_id"):
-		session["session_id"] = secrets.token_hex(16)
-
 	ua=request.headers.get("User-Agent","")
 	if "CriOS/" in ua:
 		g.system="ios/chrome"
@ -258,6 +257,12 @@ def after_request(response):
 		print(e)
 		abort(500)

+	response.headers.add("Strict-Transport-Security", "max-age=31536000")
+	response.headers.add("Referrer-Policy", "same-origin")
+
+	response.headers.add("Feature-Policy", "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; vibrate 'none'; fullscreen 'none'; payment 'none';")
+	if not request.path.startswith("/embed/"): response.headers.add("X-Frame-Options", "deny")
+
 	return response