Add X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options

2025-10-31 20:51:56 +00:00 · 2018-09-05 21:06:30 -05:00
parent a749ac73ac
commit 96234e509f
2 changed files with 15 additions and 0 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -106,6 +106,9 @@ spawn do
 end

 before_all do |env|
+  env.response.headers["X-XSS-Protection"] = "1; mode=block;"
+  env.response.headers["X-Content-Type-Options"] = "nosniff"
+
  # CSRF
  if Kemal.config.ssl || CONFIG.https_only
    host = env.request.headers["Host"]?
@@ -2945,6 +2948,7 @@ public_folder "assets"

 Kemal.config.powered_by_header = false
 add_handler FilteredCompressHandler.new
+add_handler DenyFrame.new
 add_context_storage_type(User)

 Kemal.run
--- a/src/invidious/helpers/helpers.cr
+++ b/src/invidious/helpers/helpers.cr
@@ -41,6 +41,17 @@ class FilteredCompressHandler < Kemal::Handler
  end
 end

+class DenyFrame < Kemal::Handler
+  exclude ["/embed/*"]
+
+  def call(env)
+    return call_next env if exclude_match? env
+
+    env.response.headers["X-Frame-Options"] = "sameorigin"
+    call_next env
+  end
+end
+
 def rank_videos(db, n, filter, url)
  top = [] of {Float64, String}