From 7756dd80f38a51752cfb0df917744c2680ca923b Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Sun, 5 Feb 2017 12:19:47 +0800
Subject: [PATCH] [WebUI]: add X-XSS-Protection, X-Content-Type-Options, CSP
 header

---
 src/base/http/types.h                | 3 +++
 src/webui/abstractwebapplication.cpp | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/base/http/types.h b/src/base/http/types.h
index ae401c719..a8dc9a898 100644
--- a/src/base/http/types.h
+++ b/src/base/http/types.h
@@ -44,6 +44,9 @@ namespace Http
     const QString HEADER_CONTENT_LENGTH = "Content-Length";
     const QString HEADER_CACHE_CONTROL = "Cache-Control";
     const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";
+    const QString HEADER_X_XSS_PROTECTION = "X-XSS-Protection";
+    const QString HEADER_X_CONTENT_TYPE_OPTIONS = "X-Content-Type-Options";
+    const QString HEADER_CONTENT_SECURITY_POLICY = "Content-Security-Policy";
 
     const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
     const QString CONTENT_TYPE_GIF = "image/gif";
diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
index 738f7f4c2..4bb5315d7 100644
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@@ -108,6 +108,9 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
 
     // avoid clickjacking attacks
     header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
+    header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
+    header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
+    header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self' 'unsafe-inline' 'unsafe-eval';");
 
     sessionInitialize();
     if (!sessionActive() && !isAuthNeeded())