Add Content-Security-Policy and X-Content-Type-Options headers to all responses

CHANGELOG.md

@@ -15,13 +15,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Added `/api/v1/statuses/{status_id}/thread` API endpoint (replaces `/api/v1/statuses/{status_id}/context`).
 - Accept webfinger requests where `resource` is instance actor ID.
 - Added `proxy_set_header X-Forwarded-Proto $scheme;` directive to nginx config example.
+- Add `Content-Security-Policy` and `X-Content-Type-Options` headers to all responses.
 
 ### Changed
 
 - Allow `instance_uri` configuration value to contain URI scheme.
-- Changed `Content-Security-Policy` header value in nginx config examples.
 - Changed `/api/v1/statuses/{status_id}/context` response format to match Mastodon API.
 - Changed status code of `/api/v1/statuses` response to 200 to match Mastodon API.
+- Removed `add_header` directives for `Content-Security-Policy` and `X-Content-Type-Options` headers from nginx config example.
 
 ### Deprecated
 

contrib/mitra-alt-fe.nginx

@@ -31,8 +31,8 @@ server {
     ssl_stapling_verify on;
 
     add_header Strict-Transport-Security "max-age=63072000" always;
-    # script-src unsafe-inline required by MetaMask
-    # style-src oauth-authorization required by OAuth authorization page
+
+    # CSP header can't be added in location block
     add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; media-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'nonce-oauth-authorization'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'";
     add_header X-Content-Type-Options "nosniff";
 

contrib/mitra.nginx

@@ -31,10 +31,6 @@ server {
     ssl_stapling_verify on;
 
     add_header Strict-Transport-Security "max-age=63072000" always;
-    # script-src unsafe-inline required by MetaMask
-    # style-src oauth-authorization required by OAuth authorization page
-    add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; media-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'nonce-oauth-authorization'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'";
-    add_header X-Content-Type-Options "nosniff";
 
     client_max_body_size 10M;
 

src/http.rs

@@ -3,7 +3,11 @@ use actix_web::{
     dev::{ConnectionInfo, ServiceResponse},
     error::{Error, JsonPayloadError},
     http::StatusCode,
-    middleware::{ErrorHandlerResponse, ErrorHandlers},
+    middleware::{
+        DefaultHeaders,
+        ErrorHandlerResponse,
+        ErrorHandlers,
+    },
     web::{Form, Json},
     Either,
     HttpRequest,
@@ -36,6 +40,25 @@ pub fn create_auth_error_handler<B: MessageBody + 'static>() -> ErrorHandlers<B>
         })
 }
 
+pub fn create_default_headers_middleware() -> DefaultHeaders {
+    DefaultHeaders::new()
+        .add((
+            "Content-Security-Policy",
+            // script-src unsafe-inline required by MetaMask
+            // style-src oauth-authorization required by OAuth authorization page
+            "default-src 'none'; \
+                connect-src 'self'; \
+                img-src 'self' data:; \
+                media-src 'self'; \
+                script-src 'self' 'unsafe-inline'; \
+                style-src 'self' 'nonce-oauth-authorization'; \
+                frame-ancestors 'none'; \
+                base-uri 'self'; \
+                form-action 'self'",
+        ))
+        .add(("X-Content-Type-Options", "nosniff"))
+}
+
 /// Convert JSON payload deserialization errors into validation errors
 pub fn json_error_handler(
     error: JsonPayloadError,

src/main.rs

@@ -17,6 +17,7 @@ use mitra::database::migrate::apply_migrations;
 use mitra::ethereum::contracts::get_contracts;
 use mitra::http::{
     create_auth_error_handler,
+    create_default_headers_middleware,
     json_error_handler,
 };
 use mitra::job_queue::scheduler;
@@ -133,6 +134,7 @@ async fn main() -> std::io::Result<()> {
                 }
             })
             .wrap(create_auth_error_handler())
+            .wrap(create_default_headers_middleware())
             .app_data(web::PayloadConfig::default().limit(UPLOAD_MAX_SIZE * 2))
             .app_data(web::JsonConfig::default()
                 .limit(UPLOAD_MAX_SIZE * 2)