diff options
| author |  Daenney <daenney@users.noreply.github.com> | 2024-07-04 10:07:02 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-07-04 10:07:02 +0200 |
| commit | 02d6e2e3bc62d97bed631b246ef9ffb033699442 (patch) | |
| tree | 8558f5f769537e8bf1147e596dff7efa1b22b5b5 /internal/processing/timeline/public_test.go | |
| parent | [chore] Allow gtsmodel to depend on util (#3068) (diff) | |
| download | gotosocial-02d6e2e3bc62d97bed631b246ef9ffb033699442.tar.xz | |
[feature] Set some security related headers (#3065)
* Set frame-ancestors in the CSP
This ensures we can't be loaded/embedded in an iframe. It also sets the
older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
This sets the policy such that browsers will never send the Referer
header along with a request, unless it's a request to the same protocol,
host/domain and port. Basically, only send it when navigating through
our own UI, but not anything external.
The default is strict-origin-when-cross-origin when unset, which sends
the Referer header for requests unless it's going from HTTPS to HTTP
(i.e a security downgrade, hence the 'strict').
Diffstat (limited to 'internal/processing/timeline/public_test.go')
0 files changed, 0 insertions, 0 deletions