From: Christian Hofstaedtler <christian.hofstaedtler@deduktiva.com>
Date: Thu, 14 Jan 2016 10:58:28 +0000 (+0100)
Subject: webserver: set security headers
X-Git-Tag: auth-4.0.0-alpha2~4^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7fe2a2dc5c0351a8bbebf930ca4813fe7c56e062;p=thirdparty%2Fpdns.git

webserver: set security headers

Matching dnsdist.
---

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index 5ccff1f554..8223b50f1a 100644
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -148,6 +148,13 @@ static void apiWrapper(WebServer::HandlerFunction handler, HttpRequest* req, Htt
 
   resp->headers["Content-Type"] = "application/json";
 
+  // security headers
+  resp->headers["X-Content-Type-Options"] = "nosniff";
+  resp->headers["X-Frame-Options"] = "deny";
+  resp->headers["X-Permitted-Cross-Domain-Policies"] = "none";
+  resp->headers["X-XSS-Protection"] = "1; mode=block";
+  resp->headers["Content-Security-Policy"] = "default-src 'self'; style-src 'self' 'unsafe-inline'";
+
   string callback;
 
   if(req->getvars.count("callback")) {