--- a/plugins/mod_http_file_share.lua Wed Jan 27 18:26:24 2021 +0100
+++ b/plugins/mod_http_file_share.lua Wed Jan 27 19:51:36 2021 +0100
@@ -248,10 +248,12 @@
response.headers.cache_control = "max-age=31556952, immutable";
response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';"
+ response.headers.strict_transport_security = "max-age=31556952";
+ response.headers.x_content_type_options = "nosniff";
+ response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+ response.headers.x_xss_protection = "1; mode=block";
return response:send_file(handle);
- -- TODO
- -- Set security headers
end
-- TODO periodic cleanup job