mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-04 13:07:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Add HTTPSecurityHeaders.CustomFrameOptionsValue option.

Browse source 
Requested in https://github.com/navidrome/navidrome/issues/248#issuecomment-1783768985
This commit is contained in:
Deluan 2024-05-02 12:12:19 -04:00
parent 7c5eec715d
commit aef49cb8d6
2 changed files with 12 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
conf/configuration.go
View file

@ -80,6 +80,7 @@ type configOptions struct {
PasswordEncryptionKey string PasswordEncryptionKey string
ReverseProxyUserHeader string ReverseProxyUserHeader string
ReverseProxyWhitelist string ReverseProxyWhitelist string
HTTPSecurityHeaders secureOptions
Prometheus prometheusOptions Prometheus prometheusOptions
Scanner scannerOptions Scanner scannerOptions
Jukebox jukeboxOptions Jukebox jukeboxOptions
@ -130,6 +131,10 @@ type listenBrainzOptions struct {
BaseURL string BaseURL string
} }
type secureOptions struct {
CustomFrameOptionsValue string
}
type prometheusOptions struct { type prometheusOptions struct {
Enabled bool Enabled bool
MetricsPath string MetricsPath string
@ -350,6 +355,8 @@ func init() {
viper.SetDefault("listenbrainz.enabled", true) viper.SetDefault("listenbrainz.enabled", true)
viper.SetDefault("listenbrainz.baseurl", "https://api.listenbrainz.org/1/") viper.SetDefault("listenbrainz.baseurl", "https://api.listenbrainz.org/1/")
viper.SetDefault("httpsecurityheaders.customframeoptionsvalue", "DENY")
// DevFlags. These are used to enable/disable debugging and incomplete features // DevFlags. These are used to enable/disable debugging and incomplete features
viper.SetDefault("devlogsourceline", false) viper.SetDefault("devlogsourceline", false)
viper.SetDefault("devenableprofiler", false) viper.SetDefault("devenableprofiler", false)

9
server/middlewares.go
View file

@ -98,10 +98,11 @@ func corsHandler() func(http.Handler) http.Handler {
func secureMiddleware() func(http.Handler) http.Handler { func secureMiddleware() func(http.Handler) http.Handler {
sec := secure.New(secure.Options{ sec := secure.New(secure.Options{
ContentTypeNosniff: true, ContentTypeNosniff: true,
FrameDeny: true, FrameDeny: true,
ReferrerPolicy: "same-origin", ReferrerPolicy: "same-origin",
PermissionsPolicy: "autoplay=(), camera=(), microphone=(), usb=()", PermissionsPolicy: "autoplay=(), camera=(), microphone=(), usb=()",
CustomFrameOptionsValue: conf.Server.HTTPSecurityHeaders.CustomFrameOptionsValue,
//ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'", //ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
}) })
return sec.Handler return sec.Handler