From d143542fe5da4d5db512b40f6a615ba375e90990 Mon Sep 17 00:00:00 2001
From: Pavel Djundik <github@xpaw.me>
Date: Sun, 1 May 2016 20:27:10 +0300
Subject: [PATCH] Add security headers to minimize XSS damage

---
 client/js/libs/handlebars/parse.js | 2 +-
 src/server.js                      | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/client/js/libs/handlebars/parse.js b/client/js/libs/handlebars/parse.js
index e8567ea5..f73a2879 100644
--- a/client/js/libs/handlebars/parse.js
+++ b/client/js/libs/handlebars/parse.js
@@ -14,7 +14,7 @@ function uri(text) {
 			return url;
 		}
 		var split = url.split("<");
-		url = "<a href='" + split[0].replace(/^www/, "//www") + "' target='_blank'>" + split[0] + "</a>";
+		url = "<a href='" + split[0].replace(/^www/, "//www") + "' target='_blank' rel='noopener'>" + split[0] + "</a>";
 		if (split.length > 1) {
 			url += "<" + split.slice(1).join("<");
 		}
diff --git a/src/server.js b/src/server.js
index e9ec1c0c..bdcceb57 100644
--- a/src/server.js
+++ b/src/server.js
@@ -17,6 +17,7 @@ module.exports = function(options) {
 	config = _.extend(config, options);
 
 	var app = express()
+		.use(allRequests)
 		.use(index)
 		.use(express.static("client"));
 
@@ -80,6 +81,11 @@ function getClientIp(req) {
 	}
 }
 
+function allRequests(req, res, next) {
+	res.setHeader("X-Content-Type-Options", "nosniff");
+	return next();
+}
+
 function index(req, res, next) {
 	if (req.url.split("?")[0] !== "/") {
 		return next();
@@ -91,6 +97,7 @@ function index(req, res, next) {
 			config
 		);
 		var template = _.template(file);
+		res.setHeader("Content-Security-Policy", "default-src *; style-src * 'unsafe-inline'; script-src 'self'; child-src 'none'; object-src 'none'; form-action 'none'; referrer no-referrer;");
 		res.setHeader("Content-Type", "text/html");
 		res.writeHead(200);
 		res.end(template(data));