Add X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options

2 files changed, 15 insertions, 0 deletions

diff --git a/src/invidious.cr b/src/invidious.cr
index f38a1343..6a32736c 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -106,6 +106,9 @@ spawn do
 end
 
 before_all do |env|
+  env.response.headers["X-XSS-Protection"] = "1; mode=block;"
+  env.response.headers["X-Content-Type-Options"] = "nosniff"
+
   # CSRF
   if Kemal.config.ssl || CONFIG.https_only
     host = env.request.headers["Host"]?
@@ -2945,6 +2948,7 @@ public_folder "assets"
 
 Kemal.config.powered_by_header = false
 add_handler FilteredCompressHandler.new
+add_handler DenyFrame.new
 add_context_storage_type(User)
 
 Kemal.run
diff --git a/src/invidious/helpers/helpers.cr b/src/invidious/helpers/helpers.cr
index 39538950..2af65e74 100644
--- a/src/invidious/helpers/helpers.cr
+++ b/src/invidious/helpers/helpers.cr
@@ -41,6 +41,17 @@ class FilteredCompressHandler < Kemal::Handler
   end
 end
 
+class DenyFrame < Kemal::Handler
+  exclude ["/embed/*"]
+
+  def call(env)
+    return call_next env if exclude_match? env
+
+    env.response.headers["X-Frame-Options"] = "sameorigin"
+    call_next env
+  end
+end
+
 def rank_videos(db, n, filter, url)
   top = [] of {Float64, String}