mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2024-12-13 00:57:27 +01:00
02d6e2e3bc
* Set frame-ancestors in the CSP This ensures we can't be loaded/embedded in an iframe. It also sets the older X-Frame-Options for fallback. * Disable MIME type sniffing * Set Referrer-Policy This sets the policy such that browsers will never send the Referer header along with a request, unless it's a request to the same protocol, host/domain and port. Basically, only send it when navigating through our own UI, but not anything external. The default is strict-origin-when-cross-origin when unset, which sends the Referer header for requests unless it's going from HTTPS to HTTP (i.e a security downgrade, hence the 'strict'). |
||
---|---|---|
.. | ||
cachecontrol.go | ||
contentsecuritypolicy_test.go | ||
contentsecuritypolicy.go | ||
cors.go | ||
extraheaders.go | ||
gzip.go | ||
headerfilter_test.go | ||
headerfilter.go | ||
logger.go | ||
ratelimit_test.go | ||
ratelimit.go | ||
requestid.go | ||
session_test.go | ||
session.go | ||
signaturecheck.go | ||
throttling_test.go | ||
throttling.go | ||
tokencheck.go | ||
useragent.go | ||
util.go |