|
| 1 | +use conduit::{Request, Response}; |
| 2 | +use conduit_middleware::Middleware; |
1 | 3 | use curl; |
2 | 4 | use curl::easy::{Easy, List}; |
3 | 5 | use oauth2::*; |
4 | 6 | use app::App; |
5 | 7 | use util::{CargoResult, internal, ChainError, human}; |
6 | 8 | use rustc_serialize::{json, Decodable}; |
7 | 9 | use std::str; |
8 | | - |
| 10 | +use std::error::Error; |
9 | 11 |
|
10 | 12 | /// Does all the nonsense for sending a GET to Github. Doesn't handle parsing |
11 | 13 | /// because custom error-code handling may be desirable. Use |
@@ -76,3 +78,38 @@ pub fn token(token: String) -> Token { |
76 | 78 | token_type: String::new(), |
77 | 79 | } |
78 | 80 | } |
| 81 | + |
| 82 | +pub struct SecurityHeadersMiddleware; |
| 83 | + |
| 84 | +impl Middleware for SecurityHeadersMiddleware { |
| 85 | + fn after(&self, _: &mut Request, mut res: Result<Response, Box<Error+Send>>) |
| 86 | + -> Result<Response, Box<Error+Send>> { |
| 87 | + if let Ok(ref mut response) = res { |
| 88 | + response.headers.insert( |
| 89 | + "Content-Security-Policy".into(), |
| 90 | + vec!["default-src 'self'; \ |
| 91 | + script-src 'self' https://www.google-analytics.com https://www.google.com; \ |
| 92 | + style-src 'self' https://www.google.com; \ |
| 93 | + img-src *; \ |
| 94 | + object-src 'none'".into()], |
| 95 | + ); |
| 96 | + response.headers.insert( |
| 97 | + "X-Content-Type-Options".into(), |
| 98 | + vec!["nosniff".into()], |
| 99 | + ); |
| 100 | + response.headers.insert( |
| 101 | + "X-Frame-Options".into(), |
| 102 | + vec!["SAMEORIGIN".into()], |
| 103 | + ); |
| 104 | + response.headers.insert( |
| 105 | + "X-XSS-Protection".into(), |
| 106 | + vec!["1; mode=block".into()], |
| 107 | + ); |
| 108 | + response.headers.insert( |
| 109 | + "Strict-Transport-Security".into(), |
| 110 | + vec!["max-age=31536000; includeSubDomains".into()], |
| 111 | + ); |
| 112 | + } |
| 113 | + res |
| 114 | + } |
| 115 | +} |
0 commit comments