Mercurial > prosody-hg
comparison plugins/mod_http_file_share.lua @ 11327:6f2b69469060
mod_http_file_share: More security headers
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 27 Jan 2021 19:51:36 +0100 |
| parents | 1ecda954fe97 |
| children | ceaa3cebf28b |
comparison
equal
deleted
inserted
replaced
| 11326:1ecda954fe97 | 11327:6f2b69469060 |
|---|---|
| 246 response.headers.content_type = slot.attr["content-type"] or "application/octet-stream"; | 246 response.headers.content_type = slot.attr["content-type"] or "application/octet-stream"; |
| 247 response.headers.content_disposition = string.format("attachment; filename=%q", slot.attr.filename); | 247 response.headers.content_disposition = string.format("attachment; filename=%q", slot.attr.filename); |
| 248 | 248 |
| 249 response.headers.cache_control = "max-age=31556952, immutable"; | 249 response.headers.cache_control = "max-age=31556952, immutable"; |
| 250 response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';" | 250 response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';" |
| 251 response.headers.strict_transport_security = "max-age=31556952"; | |
| 252 response.headers.x_content_type_options = "nosniff"; | |
| 253 response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP? | |
| 254 response.headers.x_xss_protection = "1; mode=block"; | |
| 251 | 255 |
| 252 return response:send_file(handle); | 256 return response:send_file(handle); |
| 253 -- TODO | |
| 254 -- Set security headers | |
| 255 end | 257 end |
| 256 | 258 |
| 257 -- TODO periodic cleanup job | 259 -- TODO periodic cleanup job |
| 258 | 260 |
| 259 module:hook("iq-get/host/urn:xmpp:http:upload:0:request", handle_slot_request); | 261 module:hook("iq-get/host/urn:xmpp:http:upload:0:request", handle_slot_request); |
