http: add random security headers

Fixes #1343.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-base/luasrc/http.lua b/modules/luci-base/luasrc/http.lua
index 8795dfc..9cc9857 100644 (file)
--- a/modules/luci-base/luasrc/http.lua
+++ b/modules/luci-base/luasrc/http.lua
@@ -224,7 +224,15 @@ function write(content, src_err)
                                header("Cache-Control", "no-cache")
                                header("Expires", "0")
                        end
                                header("Cache-Control", "no-cache")
                                header("Expires", "0")
                        end

-
+                       if not context.headers["x-frame-options"] then
+                               header("X-Frame-Options", "SAMEORIGIN")
+                       end
+                       if not context.headers["x-xss-protection"] then
+                               header("X-XSS-Protection", "1; mode=block")
+                       end
+                       if not context.headers["x-content-type-options"] then
+                               header("X-Content-Type-Options", "nosniff")
+                       end

 
                        context.eoh = true
                        coroutine.yield(3)
 
                        context.eoh = true
                        coroutine.yield(3)