From 7c316fc19a1d9e4e8d14c5d79748dc30733f41b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Mon, 25 Jun 2018 20:35:36 +0200 Subject: [PATCH] Added security headers to web-vault (fixes #44) --- src/api/web.rs | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/api/web.rs b/src/api/web.rs index d65452dd..3866eac6 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -1,8 +1,9 @@ use std::io; use std::path::{Path, PathBuf}; +use rocket::request::Request; +use rocket::response::{self, NamedFile, Responder}; use rocket::Route; -use rocket::response::NamedFile; use rocket_contrib::Json; use CONFIG; @@ -17,27 +18,33 @@ pub fn routes() -> Vec { // TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache #[get("/")] -fn web_index() -> io::Result { - NamedFile::open( - Path::new(&CONFIG.web_vault_folder) - .join("index.html")) +fn web_index() -> WebHeaders> { + web_files("index.html".into()) } #[get("/", rank = 1)] // Only match this if the other routes don't match -fn web_files(p: PathBuf) -> io::Result { - NamedFile::open( - Path::new(&CONFIG.web_vault_folder) - .join(p)) +fn web_files(p: PathBuf) -> WebHeaders> { + WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) } +struct WebHeaders(R); + +impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders { + fn respond_to(self, req: &Request) -> response::Result<'r> { + let mut res = self.0.respond_to(req)?; + + res.set_raw_header("Referrer-Policy", "same-origin"); + res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); + res.set_raw_header("X-Content-Type-Options", "nosniff"); + res.set_raw_header("X-XSS-Protection", "1; mode=block"); + + Ok(res) + } +} #[get("/attachments//")] fn attachments(uuid: String, file: PathBuf) -> io::Result { - NamedFile::open( - Path::new(&CONFIG.attachments_folder) - .join(uuid) - .join(file) - ) + NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) }