diff --git a/app.py b/app.py index 452adbc..38ebe7c 100644 --- a/app.py +++ b/app.py @@ -74,7 +74,7 @@ limiter = Limiter(app, key_func=rate_limit_key) @app.after_request def install_security_headers(resp): - csp = "default-src 'none'; img-src 'self' https: http:; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'" + csp = "default-src 'none'; img-src 'self' https:; upgrade-insecure-requests; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'" if 'CSP_REPORT_URI' in app.config: csp += "; report-uri " + app.config.get('CSP_REPORT_URI') resp.headers.set('Content-Security-Policy', csp) @@ -85,6 +85,6 @@ def install_security_headers(resp): resp.headers.set('referrer-policy', 'no-referrer') resp.headers.set('x-content-type-options', 'nosniff') resp.headers.set('x-frame-options', 'DENY') - resp.headers.set('x-xss-protection', '0') + resp.headers.set('x-xss-protection', '1') return resp