[feature] Set some security related headers (#3065)

* Set frame-ancestors in the CSP
   This ensures we can't be loaded/embedded in an iframe. It also sets the
   older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
   This sets the policy such that browsers will never send the Referer
   header along with a request, unless it's a request to the same protocol,
   host/domain and port. Basically, only send it when navigating through
   our own UI, but not anything external.

   The default is strict-origin-when-cross-origin when unset, which sends
   the Referer header for requests unless it's going from HTTPS to HTTP
   (i.e a security downgrade, hence the 'strict').

1 files changed, 9 insertions, 0 deletions

diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index 1a3f1d522..c75b65551 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -27,6 +27,15 @@ func ExtraHeaders() gin.HandlerFunc {
 		// Inform all callers which server implementation this is.
 		c.Header("Server", "gotosocial")
 
+		// Equivalent to CSP frame-ancestors for older browsers
+		c.Header("X-Frame-Options", "DENY")
+
+		// Don't do MIME type sniffing
+		c.Header("X-Content-Type-Options", "nosniff")
+
+		// Only send Referer header for URLs matching our protocol, hostname and port
+		c.Header("Referrer-Policy", "same-origin")
+
 		// Prevent google chrome cohort tracking. Originally this was referred
 		// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
 		// that interest-cohort will also block Topics (as of 2022-Nov).