From 49a6168607e1c0762f02d18773241155848c01b7 Mon Sep 17 00:00:00 2001 From: spikecodes <19519553+spikecodes@users.noreply.github.com> Date: Fri, 29 Jan 2021 14:39:03 -0800 Subject: [PATCH] Improve CSP --- src/main.rs | 3 +-- templates/base.html | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/src/main.rs b/src/main.rs index ec479f2..40f828c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -21,7 +21,6 @@ async fn style() -> HttpResponse { async fn robots() -> HttpResponse { HttpResponse::Ok() - .content_type("text/plain") .header("Cache-Control", "public, max-age=1209600, s-maxage=86400") .body("User-agent: *\nAllow: /") } @@ -73,7 +72,7 @@ async fn main() -> std::io::Result<()> { .header("Referrer-Policy", "no-referrer") .header("X-Content-Type-Options", "nosniff") .header("X-Frame-Options", "DENY") - .header("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self'; frame-ancestors: 'none';")) + .header("Content-Security-Policy", "default-src 'none'; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none';")) // Default service in case no routes match .default_service(web::get().to(|| utils::error("Nothing here".to_string()))) // Read static files diff --git a/templates/base.html b/templates/base.html index 2eccb53..7764eae 100644 --- a/templates/base.html +++ b/templates/base.html @@ -3,13 +3,11 @@
{% block head %}