webserver: set security headers

Matching dnsdist.

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index 5ccff1f554c2c9cd022ab157a5071ea5d5b069c2..8223b50f1ad3777647c7f180e953c4d0d36c07e6 100644 (file)
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -148,6 +148,13 @@ static void apiWrapper(WebServer::HandlerFunction handler, HttpRequest* req, Htt
 
   resp->headers["Content-Type"] = "application/json";
 
+  // security headers
+  resp->headers["X-Content-Type-Options"] = "nosniff";
+  resp->headers["X-Frame-Options"] = "deny";
+  resp->headers["X-Permitted-Cross-Domain-Policies"] = "none";
+  resp->headers["X-XSS-Protection"] = "1; mode=block";
+  resp->headers["Content-Security-Policy"] = "default-src 'self'; style-src 'self' 'unsafe-inline'";
+
   string callback;
 
   if(req->getvars.count("callback")) {