Add Referrer-Policy and X-Content-Type-Options headers - Githubissues

jech / galene

The Galène videoconference server

https://galene.org

MIT License

944 stars 130 forks source link

Add Referrer-Policy and X-Content-Type-Options headers #153

Closed erdnaxe closed 1 year ago

erdnaxe commented 1 year ago

This pull request proposes to set:

Referrer-Policy HTTP header to no-referrer. As Galène JavaScript code does not user referrer information, I believe it makes sense to disable it for privacy reasons.
X-Content-Type-Options to nosniff to ensure that browsers load CSS and JS only if the MIME type is correct. This may protect against some types of XSS attacks.

I have put this code inside cspHeader function as it seems to make sense there, but maybe the function should be renamed securityHeaders.

jech commented 1 year ago

Agreed on all counts. Applied as 02e7c7e.