From db8f0cb141b9d39641f19d19fddba6fe05170aeb Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Tue, 30 Aug 2022 13:39:10 +1000 Subject: [PATCH] Harden the CSP a bit for values that don't inherit default-src. Set Permissions-Policy. Remove TODO --- app/main.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/main.py b/app/main.py index 63f740b..e29f2f3 100644 --- a/app/main.py +++ b/app/main.py @@ -132,11 +132,12 @@ class CustomMiddleware: ] = "no-referrer, strict-origin-when-cross-origin" headers["x-content-type-options"] = "nosniff" headers["x-xss-protection"] = "1; mode=block" - headers["x-frame-options"] = "SAMEORIGIN" - # TODO(ts): disallow inline CSS? + headers["x-frame-options"] = "DENY" + headers["permissions-policy"] = "interest-cohort=()" headers["content-security-policy"] = ( f"default-src 'self'; " - f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}';" + f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; " + f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';" ) if not DEBUG: headers["strict-transport-security"] = "max-age=63072000;"