From 11d0129f9661155dd2bd44cce5866726acd53433 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 2 Sep 2017 17:45:37 +0200 Subject: [PATCH] http: add random security headers Fixes #1343. Signed-off-by: Jo-Philipp Wich --- modules/luci-base/luasrc/http.lua | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/luci-base/luasrc/http.lua b/modules/luci-base/luasrc/http.lua index 8795dfc4b..9cc985786 100644 --- a/modules/luci-base/luasrc/http.lua +++ b/modules/luci-base/luasrc/http.lua @@ -224,7 +224,15 @@ function write(content, src_err) header("Cache-Control", "no-cache") header("Expires", "0") end - + if not context.headers["x-frame-options"] then + header("X-Frame-Options", "SAMEORIGIN") + end + if not context.headers["x-xss-protection"] then + header("X-XSS-Protection", "1; mode=block") + end + if not context.headers["x-content-type-options"] then + header("X-Content-Type-Options", "nosniff") + end context.eoh = true coroutine.yield(3) -- 2.25.1