From 69b91aa186035c005b2283c2699b41dbefd77146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20L=C3=B6sche?= Date: Tue, 3 Sep 2024 17:40:22 +0200 Subject: [PATCH] [feat] Add Referrer-Policy and Permissions-Policy headers --- fixbackend/app.py | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/fixbackend/app.py b/fixbackend/app.py index 2793c54c..3bc2b495 100644 --- a/fixbackend/app.py +++ b/fixbackend/app.py @@ -79,6 +79,23 @@ async def custom_ui(hash: str) -> Response: headers["X-Content-Type-Options"] = "nosniff" headers["X-Frame-Options"] = "DENY" headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload" + headers["Referrer-Policy"] = "origin-when-cross-origin" + headers["Permissions-Policy"] = ( + "notifications=(self)," + " payment=(self)," + " fullscreen=(self)," + " geolocation=()," + " camera=()," + " microphone=()," + " accelerometer=()," + " gyroscope=()," + " magnetometer=()," + " usb=()," + " vr=()," + " xr-spatial-tracking=()," + " autoplay=()," + " midi=()" + ) headers["Content-Security-Policy"] = ( "default-src 'self' https://cdn.fix.security;" f" connect-src 'self' data: https://cdn.fix.security https://capture.trackjs.com https://ph.fix.security;" @@ -337,6 +354,23 @@ async def root(_: Request) -> Response: headers["X-Content-Type-Options"] = "nosniff" headers["X-Frame-Options"] = "DENY" headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload" + headers["Referrer-Policy"] = "origin-when-cross-origin" + headers["Permissions-Policy"] = ( + "notifications=(self)," + " payment=(self)," + " fullscreen=(self)," + " geolocation=()," + " camera=()," + " microphone=()," + " accelerometer=()," + " gyroscope=()," + " magnetometer=()," + " usb=()," + " vr=()," + " xr-spatial-tracking=()," + " autoplay=()," + " midi=()" + ) headers["Content-Security-Policy"] = ( "default-src 'self' https://cdn.fix.security;" f" connect-src 'self' data: https://cdn.fix.security https://capture.trackjs.com https://ph.fix.security;"