Mastodon
/
forget-cancellare-vecchi-toot
mirror of https://github.com/codl/forget
2
0
Fork 0
Code Issues Releases Wiki Activity

csp: only set upgrade-insecure-requests when over https

This commit is contained in:
codl 2017-08-28 09:12:32 +02:00
parent 3be1b79b92
commit 31bdf87c89
No known key found for this signature in database
GPG Key ID: 6CD7C8891ED1233A
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app.py
View File

@ -74,14 +74,15 @@ limiter = Limiter(app, key_func=rate_limit_key)
@app.after_request
def install_security_headers(resp):
csp = "default-src 'none'; img-src 'self' https:; upgrade-insecure-requests; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'"
csp = "default-src 'none'; img-src 'self' https:; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'"
if 'CSP_REPORT_URI' in app.config:
csp += "; report-uri " + app.config.get('CSP_REPORT_URI')
resp.headers.set('Content-Security-Policy', csp)
if app.config.get('HTTPS'):
resp.headers.set('strict-transport-security', 'max-age={}'.format(60*60*24*365))
csp += "; upgrade-insecure-requests"
resp.headers.set('Content-Security-Policy', csp)
resp.headers.set('referrer-policy', 'no-referrer')
resp.headers.set('x-content-type-options', 'nosniff')
resp.headers.set('x-frame-options', 'DENY')