mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-10-29 02:12:25 -05:00
02d6e2e3bc* Set frame-ancestors in the CSP This ensures we can't be loaded/embedded in an iframe. It also sets the older X-Frame-Options for fallback. * Disable MIME type sniffing * Set Referrer-Policy This sets the policy such that browsers will never send the Referer header along with a request, unless it's a request to the same protocol, host/domain and port. Basically, only send it when navigating through our own UI, but not anything external. The default is strict-origin-when-cross-origin when unset, which sends the Referer header for requests unless it's going from HTTPS to HTTP (i.e a security downgrade, hence the 'strict'). |
||
|---|---|---|
| .. | ||
| cachecontrol.go | ||
| contentsecuritypolicy.go | ||
| contentsecuritypolicy_test.go | ||
| cors.go | ||
| extraheaders.go | ||
| gzip.go | ||
| headerfilter.go | ||
| headerfilter_test.go | ||
| logger.go | ||
| ratelimit.go | ||
| ratelimit_test.go | ||
| requestid.go | ||
| session.go | ||
| session_test.go | ||
| signaturecheck.go | ||
| throttling.go | ||
| throttling_test.go | ||
| tokencheck.go | ||
| useragent.go | ||
| util.go | ||