commit 7c316fc19a1d9e4e8d14c5d79748dc30733f41b5
parent 1c45c2ec3a716392997b5f60dbbdde77385a7fb2
Author: Daniel GarcĂa <dani-garcia@users.noreply.github.com>
Date: Mon, 25 Jun 2018 20:35:36 +0200
Added security headers to web-vault (fixes #44)
Diffstat:
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/src/api/web.rs b/src/api/web.rs
@@ -1,8 +1,9 @@
use std::io;
use std::path::{Path, PathBuf};
+use rocket::request::Request;
+use rocket::response::{self, NamedFile, Responder};
use rocket::Route;
-use rocket::response::NamedFile;
use rocket_contrib::Json;
use CONFIG;
@@ -17,27 +18,33 @@ pub fn routes() -> Vec<Route> {
// TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache
#[get("/")]
-fn web_index() -> io::Result<NamedFile> {
- NamedFile::open(
- Path::new(&CONFIG.web_vault_folder)
- .join("index.html"))
+fn web_index() -> WebHeaders<io::Result<NamedFile>> {
+ web_files("index.html".into())
}
#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
-fn web_files(p: PathBuf) -> io::Result<NamedFile> {
- NamedFile::open(
- Path::new(&CONFIG.web_vault_folder)
- .join(p))
+fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> {
+ WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
}
+struct WebHeaders<R>(R);
+
+impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
+ fn respond_to(self, req: &Request) -> response::Result<'r> {
+ let mut res = self.0.respond_to(req)?;
+
+ res.set_raw_header("Referrer-Policy", "same-origin");
+ res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
+ res.set_raw_header("X-Content-Type-Options", "nosniff");
+ res.set_raw_header("X-XSS-Protection", "1; mode=block");
+
+ Ok(res)
+ }
+}
#[get("/attachments/<uuid>/<file..>")]
fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
- NamedFile::open(
- Path::new(&CONFIG.attachments_folder)
- .join(uuid)
- .join(file)
- )
+ NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
}
