Add a default CSP

Disallows loading external ressources. Providers can override it with
their reverse proxy settings.
This commit is contained in:
Simon Ser 2019-12-18 12:03:56 +01:00
parent 80da410c3b
commit 3d2da43207
No known key found for this signature in database
GPG key ID: 0FDE7BE0E88F5E48

View file

@ -166,6 +166,13 @@ func New(e *echo.Echo, options *Options) error {
c.String(code, err.Error()) c.String(code, err.Error())
} }
e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
return func(ectx echo.Context) error {
ectx.Response().Header().Set("Content-Security-Policy", "default-src 'self'")
return next(ectx)
}
})
e.Use(func(next echo.HandlerFunc) echo.HandlerFunc { e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
return func(ectx echo.Context) error { return func(ectx echo.Context) error {
ctx := &Context{Context: ectx, Server: s} ctx := &Context{Context: ectx, Server: s}