From 93b375f6e1816490e099edacaec6056976953923 Mon Sep 17 00:00:00 2001
From: Serkan Koyuncu <serkan@koyuncu.org>
Date: Tue, 6 Aug 2019 00:56:05 +0300
Subject: [PATCH] Include security headers required by security scan

---
 websockify/websocketproxy.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/websockify/websocketproxy.py b/websockify/websocketproxy.py
index 6da5297..85d6a6d 100644
--- a/websockify/websocketproxy.py
+++ b/websockify/websocketproxy.py
@@ -54,7 +54,20 @@ Traffic Legend:
             self.send_header(name, val)
         
         self.end_headers()
-    
+
+    def end_headers(self):
+        self.send_security_headers()
+
+        if self.request_version != 'HTTP/0.9':
+            self.wfile.write("\r\n")
+
+    def send_security_headers(self):
+        self.send_header("X-Frame-Options", "SAMEORIGIN")
+        self.send_header("Content-Security-Policy", "default-src 'self';")
+        self.send_header("X-XSS-Protection", "1")
+        self.send_header("X-Content-Type-Options", "nosniff")
+        self.send_header("Strict-Transport-Security", "max-age=16070400; includeSubDomains")
+
     def validate_connection(self):
         if not self.server.token_plugin:
             return