Set a strict Content-Security-Policy

imageproxy.go

@@ -252,6 +252,9 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	// Enable CORS for 3rd party applications
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 
+	// Add a Content-Security-Policy to prevent stored-XSS attacks via SVG files
+	w.Header().Set("Content-Security-Policy", "script-src 'none'")
+
 	w.WriteHeader(resp.StatusCode)
 	if _, err := io.Copy(w, resp.Body); err != nil {
 		p.logf("error copying response: %v", err)