From e39de653674b1e49b7aef18b09ad62ab7537bd99 Mon Sep 17 00:00:00 2001 From: rwagner_inf Date: Thu, 12 Apr 2018 18:09:38 -0300 Subject: [PATCH] Add security HTTP Headers (#5805) Some HTTP security headers in Minio. To avoid problems with XSS and Clickjacking attacks. X-Frame-Options X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages. X-XSS-Protection This header enables the Cross-site scripting (XSS) filter in your browser. --- vendor/github.com/gorilla/rpc/v2/server.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vendor/github.com/gorilla/rpc/v2/server.go b/vendor/github.com/gorilla/rpc/v2/server.go index bd0a42db4..bdf140106 100644 --- a/vendor/github.com/gorilla/rpc/v2/server.go +++ b/vendor/github.com/gorilla/rpc/v2/server.go @@ -149,6 +149,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Prevents Internet Explorer from MIME-sniffing a response away // from the declared content-type w.Header().Set("x-content-type-options", "nosniff") + // Prevents against XSS Atacks + w.Header().Set("X-XSS-Protection", "\"1; mode=block\"") + // Prevents against Clickjacking + w.Header().Set("X-Frame-Options", "SAMEORIGIN") + // Encode the response. if errResult == nil { codecReq.WriteResponse(w, reply.Interface())