Browse Source

Adds security headers in response

Abhinav Sarkar 4 years ago
parent
commit
f816f6d591
2 changed files with 10 additions and 0 deletions
  1. 1
    0
      README.md
  2. 9
    0
      src/Main.hs

+ 1
- 0
README.md View File

@@ -14,6 +14,7 @@ _hastatic_ is a very small web server for serving static files from a Docker con
14 14
 - Supports custom index files for URLs ending with "/".
15 15
 - Takes care to not serve hidden files.
16 16
 - Adds caching headers automatically.
17
+- Adds security headers automatically.
17 18
 - Caches file descriptors and info for better performance.
18 19
 
19 20
 ## Usage

+ 9
- 0
src/Main.hs View File

@@ -24,6 +24,14 @@ import Paths_hastatic (version)
24 24
 
25 25
 data TLS = Okay TLS.TLSSettings | Error String | None
26 26
 
27
+addSecureHeaders :: Middleware
28
+addSecureHeaders = modifyResponse $ mapResponseHeaders (++ secureHeaders)
29
+  where
30
+    secureHeaders = [ ("Referrer-Policy", "strict-origin-when-cross-origin")
31
+                    , ("X-Frame-Options", "SAMEORIGIN")
32
+                    , ("X-XSS-Protection", "1; mode=block")
33
+                    ]
34
+
27 35
 indexHTML :: T.Text -> Middleware
28 36
 indexHTML indexFile app req respond =
29 37
   let path = pathInfo req
@@ -55,6 +63,7 @@ application excludedPaths = do
55 63
   indexFile    <- T.pack . fromMaybe "index.html" <$> lookupEnv "IDX_FILE"
56 64
   cache        <- initCaching PublicStaticCaching
57 65
   return
66
+    . addSecureHeaders
58 67
     . indexHTML indexFile
59 68
     . staticPolicy' cache polcy
60 69
     . notFoundHandler

Loading…
Cancel
Save