Add a default CSP

Disallows loading external ressources. Providers can override it with their reverse proxy settings.
author: Simon Ser <contact@emersion.fr> 2019-12-18 12:03:56 +0100
committer: Simon Ser <contact@emersion.fr> 2019-12-18 12:03:56 +0100
commit: 3d2da43207ee963cb813dfba3a338b9d9c918319 (patch)
tree: 9dea7082ee80cf37feba6684acb06e84e8ef60dc /server.go
parent: 80da410c3bb1c0d8d53c02867afc0cddd2f185bd (diff)
download: alps-3d2da43207ee963cb813dfba3a338b9d9c918319.tar.gz
alps-3d2da43207ee963cb813dfba3a338b9d9c918319.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/server.go b/server.go
index ab42684..df48303 100644
--- a/server.go
+++ b/server.go
@@ -168,6 +168,13 @@ func New(e *echo.Echo, options *Options) error {
 
 	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(ectx echo.Context) error {
+			ectx.Response().Header().Set("Content-Security-Policy", "default-src 'self'")
+			return next(ectx)
+		}
+	})
+
+	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(ectx echo.Context) error {
 			ctx := &Context{Context: ectx, Server: s}
 			ctx.Set("context", ctx)
author	Simon Ser <contact@emersion.fr>	2019-12-18 12:03:56 +0100
committer	Simon Ser <contact@emersion.fr>	2019-12-18 12:03:56 +0100
commit	3d2da43207ee963cb813dfba3a338b9d9c918319 (patch)
tree	9dea7082ee80cf37feba6684acb06e84e8ef60dc /server.go
parent	80da410c3bb1c0d8d53c02867afc0cddd2f185bd (diff)
download	alps-3d2da43207ee963cb813dfba3a338b9d9c918319.tar.gz alps-3d2da43207ee963cb813dfba3a338b9d9c918319.zip