aux/keyserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable strict CSP and mitigate clickjacking

Browse Source
This commit is contained in:
Tankred Hase 2016-06-11 14:27:46 +02:00
parent 0bfeebb084
commit 3a551d2cdc
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/app.js
View File

@ -80,17 +80,25 @@ app.use(function *(next) {
// Set HTTP response headers
app.use(function *(next) {
// HSTS
if (util.isTrue(config.server.httpsUpgrade)) {
this.set('Strict-Transport-Security', 'max-age=16070400');
}
// HPKP
if (config.server.httpsKeyPin && config.server.httpsKeyPinBackup) {
this.set('Public-Key-Pins', 'pin-sha256="' + config.server.httpsKeyPin + '"; pin-sha256="' + config.server.httpsKeyPinBackup + '"; max-age=16070400');
}
// CSP
this.set('Content-Security-Policy', "default-src 'self'; object-src 'none'");
// Prevent rendering website in foreign iframe (Clickjacking)
this.set('X-Frame-Options', 'DENY');
// CORS
this.set('Access-Control-Allow-Origin', '*');
this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
this.set('Access-Control-Allow-Headers', 'Content-Type');
this.set('Cache-Control', 'no-cache');
this.set('Connection', 'keep-alive');
yield next;
});

2
src/static/demo.html
View File

@ -40,7 +40,7 @@
<div class="col-lg-12">
<h2>OpenPGP key lookup</h2>
<form action="/pks/lookup" method="get">
<input type="radio" name="op" value="get" checked="checked" style="display: none">
<input class="hidden" type="radio" name="op" value="get" checked="checked">
<div class="input-group input-group-lg">
<input class="form-control" name="search" type="text" spellcheck="false" placeholder="Email address or Key ID e.g. 0x11A1A9C84B18732F" required>
<span class="input-group-btn">