From b9d60f6a698fcecfa961cfe6960401201f775a0f Mon Sep 17 00:00:00 2001
From: root <jeroen@nerdbox.it>
Date: Sat, 16 Jun 2018 09:18:08 +0200
Subject: [PATCH] Added security headers for each HTTP response

---
 code/espurna/web.ino | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/code/espurna/web.ino b/code/espurna/web.ino
index 8deb4c4d..01755f41 100644
--- a/code/espurna/web.ino
+++ b/code/espurna/web.ino
@@ -57,7 +57,9 @@ void _onGetConfig(AsyncWebServerRequest *request) {
     char buffer[100];
     snprintf_P(buffer, sizeof(buffer), PSTR("attachment; filename=\"%s-backup.json\""), (char *) getSetting("hostname").c_str());
     response->addHeader("Content-Disposition", buffer);
-
+    response->addHeader("X-XSS-Protection", "1; mode=block");
+    response->addHeader("X-Content-Type-Options", "nosniff");
+    response->addHeader("X-Frame-Options", "deny");
     request->send(response);
 
 }
@@ -151,6 +153,9 @@ void _onHome(AsyncWebServerRequest *request) {
 
         response->addHeader("Content-Encoding", "gzip");
         response->addHeader("Last-Modified", _last_modified);
+	response->addHeader("X-XSS-Protection", "1; mode=block");
+	response->addHeader("X-Content-Type-Options", "nosniff");
+	response->addHeader("X-Frame-Options", "deny");
         request->send(response);
 
     }
@@ -223,6 +228,10 @@ void _onUpgrade(AsyncWebServerRequest *request) {
 
     AsyncWebServerResponse *response = request->beginResponse(200, "text/plain", buffer);
     response->addHeader("Connection", "close");
+    response->addHeader("X-XSS-Protection", "1; mode=block");
+    response->addHeader("X-Content-Type-Options", "nosniff");
+    response->addHeader("X-Frame-Options", "deny");
+
     if (!Update.hasError()) {
         deferredReset(100, CUSTOM_RESET_UPGRADE);
     }