Set a strict Content-Security-Policy

2024-12-16 21:56:43 -05:00 · 2020-10-16 09:52:54 -04:00 · 2020-10-16 09:52:54 -04:00 · c6206ea30c
commit c6206ea30c
parent 66c549e07b
1 changed files with 3 additions and 0 deletions
--- a/imageproxy.go
+++ b/imageproxy.go
@ -252,6 +252,9 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	// Enable CORS for 3rd party applications
 	w.Header().Set("Access-Control-Allow-Origin", "*")

+	// Add a Content-Security-Policy to prevent stored-XSS attacks via SVG files
+	w.Header().Set("Content-Security-Policy", "script-src 'none'")
+
 	w.WriteHeader(resp.StatusCode)
 	if _, err := io.Copy(w, resp.Body); err != nil {
 		p.logf("error copying response: %v", err)