From c8784d64f4d8417a9e708856485734af3c53fc90 Mon Sep 17 00:00:00 2001
From: atrc445 <atrc445@protonmail.com>
Date: Fri, 13 Aug 2021 11:13:18 +0200
Subject: [PATCH 1/2] improve(?) caching - vary header should not contain
 "cookie" for assets

---
 files/__main__.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/files/__main__.py b/files/__main__.py
index ea9c3ee93b..bef989f793 100644
--- a/files/__main__.py
+++ b/files/__main__.py
@@ -37,6 +37,7 @@ app.config['DATABASE_URL'] = environ.get("DATABASE_CONNECTION_POOL_URL",environ.
 
 app.config['SECRET_KEY'] = environ.get('MASTER_KEY')
 app.config["SERVER_NAME"] = environ.get("DOMAIN").strip()
+app.config['SEND_FILE_MAX_AGE_DEFAULT'] = 60*10
 
 app.config["SESSION_COOKIE_NAME"] = "session_" + environ.get("SITE_NAME").strip().lower()
 app.config["VERSION"] = "1.0.0"
@@ -213,6 +214,9 @@ def before_request():
 
 	g.timestamp = int(time.time())
 
+	#do not access session for static files
+	if request.path.startswith("/assets"): return
+
 	session.permanent = True
 
 	ua_banned, response_tuple = get_useragent_ban_response(
@@ -254,13 +258,10 @@ def after_request(response):
 		print(e)
 		abort(500)
 
-	response.headers.remove("Cache-Control")
-	response.headers.add("Cache-Control", "public, max-age=600")
-
 	return response
 
 
 @app.route("/<path:path>", subdomain="www")
 def www_redirect(path):
 
-	return redirect(f"https://{app.config['SERVER_NAME']}/{path}")
\ No newline at end of file
+	return redirect(f"https://{app.config['SERVER_NAME']}/{path}")

From 051b891f575fd004e29ad749c361b7dafd13d6d6 Mon Sep 17 00:00:00 2001
From: atrc445 <atrc445@protonmail.com>
Date: Fri, 13 Aug 2021 22:58:07 +0200
Subject: [PATCH 2/2] re-add security-related headers from ruqqus

---
 files/__main__.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/files/__main__.py b/files/__main__.py
index bef989f793..1ddfbd0e82 100644
--- a/files/__main__.py
+++ b/files/__main__.py
@@ -215,9 +215,11 @@ def before_request():
 	g.timestamp = int(time.time())
 
 	#do not access session for static files
-	if request.path.startswith("/assets"): return
+	if not request.path.startswith("/assets"):
+		session.permanent = True
 
-	session.permanent = True
+		if not session.get("session_id"):
+			session["session_id"] = secrets.token_hex(16)
 
 	ua_banned, response_tuple = get_useragent_ban_response(
 		request.headers.get("User-Agent", "NoAgent"))
@@ -229,9 +231,6 @@ def before_request():
 		url = request.url.replace("http://", "https://", 1)
 		return redirect(url, code=301)
 
-	if not session.get("session_id"):
-		session["session_id"] = secrets.token_hex(16)
-
 	ua=request.headers.get("User-Agent","")
 	if "CriOS/" in ua:
 		g.system="ios/chrome"
@@ -258,6 +257,12 @@ def after_request(response):
 		print(e)
 		abort(500)
 
+	response.headers.add("Strict-Transport-Security", "max-age=31536000")
+	response.headers.add("Referrer-Policy", "same-origin")
+
+	response.headers.add("Feature-Policy", "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; vibrate 'none'; fullscreen 'none'; payment 'none';")
+	if not request.path.startswith("/embed/"): response.headers.add("X-Frame-Options", "deny")
+
 	return response