Merge pull request #949 from ITNerdbox/master

Added security headers for each HTTP response

code/espurna/web.ino

@@ -60,7 +60,9 @@ void _onGetConfig(AsyncWebServerRequest *request) {
     char buffer[100];
     snprintf_P(buffer, sizeof(buffer), PSTR("attachment; filename=\"%s-backup.json\""), (char *) getSetting("hostname").c_str());
     response->addHeader("Content-Disposition", buffer);
-
+    response->addHeader("X-XSS-Protection", "1; mode=block");
+    response->addHeader("X-Content-Type-Options", "nosniff");
+    response->addHeader("X-Frame-Options", "deny");
     request->send(response);
 
 }
@@ -158,6 +160,9 @@ void _onHome(AsyncWebServerRequest *request) {
 
         response->addHeader("Content-Encoding", "gzip");
         response->addHeader("Last-Modified", _last_modified);
+	response->addHeader("X-XSS-Protection", "1; mode=block");
+	response->addHeader("X-Content-Type-Options", "nosniff");
+	response->addHeader("X-Frame-Options", "deny");
         request->send(response);
 
     }
@@ -232,6 +237,9 @@ void _onUpgrade(AsyncWebServerRequest *request) {
 
     AsyncWebServerResponse *response = request->beginResponse(200, "text/plain", buffer);
     response->addHeader("Connection", "close");
+    response->addHeader("X-XSS-Protection", "1; mode=block");
+    response->addHeader("X-Content-Type-Options", "nosniff");
+    response->addHeader("X-Frame-Options", "deny");
     if (Update.hasError()) {
         eepromRotate(true);
     } else {