From 2203979b9c6fb2322c5f3eabfa5f613c9f93b9e1 Mon Sep 17 00:00:00 2001
From: Yassine ABOUKIR <yassine@aboukir.me>
Date: Fri, 22 Jan 2021 19:05:12 +0100
Subject: [PATCH] Add X-XSS-Protection HTTP response header to block potential
 XSS

---
 imageproxy.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/imageproxy.go b/imageproxy.go
index 2f1d6f6..d738b76 100644
--- a/imageproxy.go
+++ b/imageproxy.go
@@ -257,6 +257,9 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 
 	// Disable Content-Type sniffing
 	w.Header().Set("X-Content-Type-Options", "nosniff")
+	
+	// Block potential XSS attacks especially in legacy browsers which do not support CSP
+	w.Header().Set("X-XSS-Protection", "1; mode=block")
 
 	w.WriteHeader(resp.StatusCode)
 	if _, err := io.Copy(w, resp.Body); err != nil {