Include security headers required by security scan

2019-08-06 00:56:05 +03:00 · 2019-08-06 00:56:05 +03:00 · 93b375f6e1
parent b46fab5608
commit 93b375f6e1
1 changed files with 14 additions and 1 deletions
--- a/websockify/websocketproxy.py
+++ b/websockify/websocketproxy.py
@ -54,7 +54,20 @@ Traffic Legend:
            self.send_header(name, val)
        
        self.end_headers()
-    
+
+    def end_headers(self):
+        self.send_security_headers()
+
+        if self.request_version != 'HTTP/0.9':
+            self.wfile.write("\r\n")
+
+    def send_security_headers(self):
+        self.send_header("X-Frame-Options", "SAMEORIGIN")
+        self.send_header("Content-Security-Policy", "default-src 'self';")
+        self.send_header("X-XSS-Protection", "1")
+        self.send_header("X-Content-Type-Options", "nosniff")
+        self.send_header("Strict-Transport-Security", "max-age=16070400; includeSubDomains")
+
    def validate_connection(self):
        if not self.server.token_plugin:
            return