Implement Content-Security-Policy

server/serve_files.go

@@ -51,6 +51,7 @@ var (
 	}
 
 	hstsHeader string
+	cspEnabled bool
 )
 
 func initFileServer() {
@@ -88,7 +89,7 @@ func initFileServer() {
 			})
 		}
 
-		if viper.GetBool("https.hsts.enabled") {
+		if viper.GetBool("https.hsts.enabled") && viper.GetBool("https.enabled") {
 			hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
 
 			if viper.GetBool("https.hsts.include_subdomains") {
@@ -98,6 +99,8 @@ func initFileServer() {
 				hstsHeader += "; preload"
 			}
 		}
+
+		cspEnabled = true
 	}
 }
 
@@ -130,6 +133,17 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if cspEnabled {
+		var connectSrc string
+		if r.TLS != nil {
+			connectSrc = "wss://" + r.Host
+		} else {
+			connectSrc = "ws://" + r.Host
+		}
+
+		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src "+connectSrc)
+	}
+
 	w.Header().Set("Content-Type", "text/html")
 	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("X-Content-Type-Options", "nosniff")