From 02d6e2e3bc62d97bed631b246ef9ffb033699442 Mon Sep 17 00:00:00 2001 From: Daenney Date: Thu, 4 Jul 2024 10:07:02 +0200 Subject: [PATCH] [feature] Set some security related headers (#3065) * Set frame-ancestors in the CSP This ensures we can't be loaded/embedded in an iframe. It also sets the older X-Frame-Options for fallback. * Disable MIME type sniffing * Set Referrer-Policy This sets the policy such that browsers will never send the Referer header along with a request, unless it's a request to the same protocol, host/domain and port. Basically, only send it when navigating through our own UI, but not anything external. The default is strict-origin-when-cross-origin when unset, which sends the Referer header for requests unless it's going from HTTPS to HTTP (i.e a security downgrade, hence the 'strict'). --- internal/middleware/contentsecuritypolicy.go | 9 +++++++++ internal/middleware/extraheaders.go | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/internal/middleware/contentsecuritypolicy.go b/internal/middleware/contentsecuritypolicy.go index 5984a75c3..fb35c3a08 100644 --- a/internal/middleware/contentsecuritypolicy.go +++ b/internal/middleware/contentsecuritypolicy.go @@ -40,6 +40,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string { objectSrc = "object-src" imgSrc = "img-src" mediaSrc = "media-src" + frames = "frame-ancestors" self = "'self'" none = "'none'" @@ -102,6 +103,14 @@ func BuildContentSecurityPolicy(extraURIs ...string) string { extraURIs..., ) + /* + frame-ancestors + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors + */ + + // Don't allow embedding us in an iframe + values[frames] = []string{none} + /* Assemble policy directives. */ diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go index 1a3f1d522..c75b65551 100644 --- a/internal/middleware/extraheaders.go +++ b/internal/middleware/extraheaders.go @@ -27,6 +27,15 @@ func ExtraHeaders() gin.HandlerFunc { // Inform all callers which server implementation this is. c.Header("Server", "gotosocial") + // Equivalent to CSP frame-ancestors for older browsers + c.Header("X-Frame-Options", "DENY") + + // Don't do MIME type sniffing + c.Header("X-Content-Type-Options", "nosniff") + + // Only send Referer header for URLs matching our protocol, hostname and port + c.Header("Referrer-Policy", "same-origin") + // Prevent google chrome cohort tracking. Originally this was referred // to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says // that interest-cohort will also block Topics (as of 2022-Nov).