From 11d0129f9661155dd2bd44cce5866726acd53433 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Sat, 2 Sep 2017 17:45:37 +0200
Subject: [PATCH] http: add random security headers

Fixes #1343.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 modules/luci-base/luasrc/http.lua | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/luci-base/luasrc/http.lua b/modules/luci-base/luasrc/http.lua
index 8795dfc4b..9cc985786 100644
--- a/modules/luci-base/luasrc/http.lua
+++ b/modules/luci-base/luasrc/http.lua
@@ -224,7 +224,15 @@ function write(content, src_err)
 				header("Cache-Control", "no-cache")
 				header("Expires", "0")
 			end
-
+			if not context.headers["x-frame-options"] then
+				header("X-Frame-Options", "SAMEORIGIN")
+			end
+			if not context.headers["x-xss-protection"] then
+				header("X-XSS-Protection", "1; mode=block")
+			end
+			if not context.headers["x-content-type-options"] then
+				header("X-Content-Type-Options", "nosniff")
+			end
 
 			context.eoh = true
 			coroutine.yield(3)
-- 
2.11.0