mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 00:30:40 +03:00 
			
		
		
		
	Added security headers to web-vault (fixes #44)
This commit is contained in:
		| @@ -1,8 +1,9 @@ | ||||
| use std::io; | ||||
| use std::path::{Path, PathBuf}; | ||||
|  | ||||
| use rocket::request::Request; | ||||
| use rocket::response::{self, NamedFile, Responder}; | ||||
| use rocket::Route; | ||||
| use rocket::response::NamedFile; | ||||
| use rocket_contrib::Json; | ||||
|  | ||||
| use CONFIG; | ||||
| @@ -17,27 +18,33 @@ pub fn routes() -> Vec<Route> { | ||||
|  | ||||
| // TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache | ||||
| #[get("/")] | ||||
| fn web_index() -> io::Result<NamedFile> { | ||||
|     NamedFile::open( | ||||
|         Path::new(&CONFIG.web_vault_folder) | ||||
|             .join("index.html")) | ||||
| fn web_index() -> WebHeaders<io::Result<NamedFile>> { | ||||
|     web_files("index.html".into()) | ||||
| } | ||||
|  | ||||
| #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match | ||||
| fn web_files(p: PathBuf) -> io::Result<NamedFile> { | ||||
|     NamedFile::open( | ||||
|         Path::new(&CONFIG.web_vault_folder) | ||||
|             .join(p)) | ||||
| fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> { | ||||
|     WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) | ||||
| } | ||||
|  | ||||
| struct WebHeaders<R>(R); | ||||
|  | ||||
| impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> { | ||||
|     fn respond_to(self, req: &Request) -> response::Result<'r> { | ||||
|         let mut res = self.0.respond_to(req)?; | ||||
|  | ||||
|         res.set_raw_header("Referrer-Policy", "same-origin"); | ||||
|         res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); | ||||
|         res.set_raw_header("X-Content-Type-Options", "nosniff"); | ||||
|         res.set_raw_header("X-XSS-Protection", "1; mode=block"); | ||||
|  | ||||
|         Ok(res) | ||||
|     } | ||||
| } | ||||
|  | ||||
| #[get("/attachments/<uuid>/<file..>")] | ||||
| fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> { | ||||
|     NamedFile::open( | ||||
|         Path::new(&CONFIG.attachments_folder) | ||||
|             .join(uuid) | ||||
|             .join(file) | ||||
|     ) | ||||
|     NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) | ||||
| } | ||||
|  | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user