2 files changed, 18 insertions, 0 deletions

diff --git a/internal/middleware/contentsecuritypolicy.go b/internal/middleware/contentsecuritypolicy.go
index 5984a75c3..fb35c3a08 100644
--- a/internal/middleware/contentsecuritypolicy.go
+++ b/internal/middleware/contentsecuritypolicy.go
@@ -40,6 +40,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
 		objectSrc  = "object-src"
 		imgSrc     = "img-src"
 		mediaSrc   = "media-src"
+		frames     = "frame-ancestors"
 
 		self = "'self'"
 		none = "'none'"
@@ -103,6 +104,14 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
 	)
 
 	/*
+		frame-ancestors
+		https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+	*/
+
+	// Don't allow embedding us in an iframe
+	values[frames] = []string{none}
+
+	/*
 		Assemble policy directives.
 	*/
 
diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index 1a3f1d522..c75b65551 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -27,6 +27,15 @@ func ExtraHeaders() gin.HandlerFunc {
 		// Inform all callers which server implementation this is.
 		c.Header("Server", "gotosocial")
 
+		// Equivalent to CSP frame-ancestors for older browsers
+		c.Header("X-Frame-Options", "DENY")
+
+		// Don't do MIME type sniffing
+		c.Header("X-Content-Type-Options", "nosniff")
+
+		// Only send Referer header for URLs matching our protocol, hostname and port
+		c.Header("Referrer-Policy", "same-origin")
+
 		// Prevent google chrome cohort tracking. Originally this was referred
 		// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
 		// that interest-cohort will also block Topics (as of 2022-Nov).