From f55ea5a3531e69ea24aa3e4d08ecef09693ef001 Mon Sep 17 00:00:00 2001
From: spikecodes <19519553+spikecodes@users.noreply.github.com>
Date: Thu, 28 Jan 2021 21:53:10 -0800
Subject: [PATCH] Specify default headers for security

---
 src/main.rs         | 8 ++++++++
 templates/base.html | 2 +-
 templates/post.html | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index c705bbb..ec479f2 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -21,12 +21,14 @@ async fn style() -> HttpResponse {
 
 async fn robots() -> HttpResponse {
 	HttpResponse::Ok()
+		.content_type("text/plain")
 		.header("Cache-Control", "public, max-age=1209600, s-maxage=86400")
 		.body("User-agent: *\nAllow: /")
 }
 
 async fn favicon() -> HttpResponse {
 	HttpResponse::Ok()
+		.content_type("image/x-icon")
 		.header("Cache-Control", "public, max-age=1209600, s-maxage=86400")
 		.body(include_bytes!("../static/favicon.ico").as_ref())
 }
@@ -66,6 +68,12 @@ async fn main() -> std::io::Result<()> {
 			})
 			// Append trailing slash and remove double slashes
 			.wrap(middleware::NormalizePath::default())
+			// Apply default headers for security
+			.wrap(middleware::DefaultHeaders::new()
+				.header("Referrer-Policy", "no-referrer")
+				.header("X-Content-Type-Options", "nosniff")
+				.header("X-Frame-Options", "DENY")
+				.header("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self'; frame-ancestors: 'none';"))
 			// Default service in case no routes match
 			.default_service(web::get().to(|| utils::error("Nothing here".to_string())))
 			// Read static files
diff --git a/templates/base.html b/templates/base.html
index 0de8a8e..2eccb53 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -4,7 +4,7 @@
 		{% block head %}
 		<title>{% block title %}Libreddit{% endblock %}</title>
 		<meta http-equiv="Referrer-Policy" content="no-referrer">
-		<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self';">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self'; frame-ancestors: 'none';">
 		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
 		<meta name="description" content="View on Libreddit, an alternative private front-end to Reddit.">
 		<meta name="viewport" content="width=device-width, initial-scale=1.0">
diff --git a/templates/post.html b/templates/post.html
index a44721c..cdddaf2 100644
--- a/templates/post.html
+++ b/templates/post.html
@@ -73,7 +73,7 @@
 				</svg>
 			</a>
 			{% else if post.post_type == "video" || post.post_type == "gif" %}
-			<video class="post_media" src="{{ post.media.url }}" type="video/mp4" controls autoplay loop playsinline></video>
+			<video class="post_media" src="{{ post.media.url }}" controls autoplay loop></video>
 			{% else if post.post_type == "link" %}
 			<a id="post_url" href="{{ post.media.url }}">{{ post.media.url }}</a>
 			{% endif %}