Provide a content security policy

2019-03-04 09:41:34 +01:00 · 2019-03-04 09:41:34 +01:00 · e06255cd8f
commit e06255cd8f
parent 7a8eb5df45
1 changed files with 9 additions and 2 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -7,7 +7,7 @@ use actix_diesel::dsl::AsyncRunQueryDsl;
 use actix_diesel::Database;
 use actix_web::error::InternalError;
 use actix_web::fs::{NamedFile, StaticFiles};
-use actix_web::http::header::{LOCATION, X_FRAME_OPTIONS};
+use actix_web::http::header::{CONTENT_SECURITY_POLICY, LOCATION, X_FRAME_OPTIONS};
 use actix_web::http::{Method, StatusCode};
 use actix_web::middleware::{DefaultHeaders, Logger};
 use actix_web::{server, App, AsyncResponder, Form, HttpResponse, Path, State};
@ -191,7 +191,14 @@ fn main() -> io::Result<()> {
    server::new(move || {
        App::with_state(db.clone())
            .middleware(Logger::default())
-            .middleware(DefaultHeaders::new().header(X_FRAME_OPTIONS, "DENY"))
+            .middleware(
+                DefaultHeaders::new()
+                    .header(
+                        CONTENT_SECURITY_POLICY,
+                        "default-src 'self'; object-src 'none'",
+                    )
+                    .header(X_FRAME_OPTIONS, "DENY"),
+            )
            .resource("/", |r| {
                r.method(Method::GET).with(index);
                r.method(Method::POST).with(insert_paste);