take care of Permissions-Policy

Dawid Ciepiela · Dawid Ciepiela · commit 0e7b9d587a4d · 2025-05-02T16:20:21.000+02:00
diff --git a/pkg/api/endpoints/proxy.go b/pkg/api/endpoints/proxy.go
@@ -138,6 +138,7 @@ func (p ProxyState) ModifyResponse(resp *http.Response) error {
 	resp.Header.Del("Access-Control-Allow-Headers")
 	resp.Header.Del("Access-Control-Expose-Headers")
 	resp.Header.Del("Access-Control-Max-Age")
+	resp.Header.Del("Permissions-Policy")
 
 	// Ignore non-HTML content
 	if contentType := resp.Header.Get("Content-Type"); resp.Body == nil || !strings.Contains(contentType, gin.MIMEHTML) {
diff --git a/pkg/common/web/utils.go b/pkg/common/web/utils.go
@@ -317,6 +317,7 @@ func SessionSave(session sessions.Session, ctx *gin.Context) (success bool) {
 // SetContentSecurityHeaders sets the Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options headers.
 // It uses the nonce to set the script-src and style-src directives.
 func SetContentSecurityHeaders(w http.ResponseWriter, nonce string) {
+	// Set Content-Security-Policy header
 	w.Header().Set("Content-Security-Policy", strings.Join([]string{
 		"default-src 'none'",
 		"script-src 'self' 'nonce-" + nonce + "'",
@@ -332,6 +333,10 @@ func SetContentSecurityHeaders(w http.ResponseWriter, nonce string) {
 		"worker-src 'none'",
 		"upgrade-insecure-requests",
 	}, "; "))
-	w.Header().Set("X-Frame-Options", "DENY")
+
+	// Prevent MIME type sniffing
 	w.Header().Set("X-Content-Type-Options", "nosniff")
+
+	// Prevent clickjacking
+	w.Header().Set("X-Frame-Options", "DENY")
 }
