From 051b891f575fd004e29ad749c361b7dafd13d6d6 Mon Sep 17 00:00:00 2001
From: atrc445 <atrc445@protonmail.com>
Date: Fri, 13 Aug 2021 22:58:07 +0200
Subject: [PATCH] re-add security-related headers from ruqqus

---
 files/__main__.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/files/__main__.py b/files/__main__.py
index bef989f79..1ddfbd0e8 100644
--- a/files/__main__.py
+++ b/files/__main__.py
@@ -215,9 +215,11 @@ def before_request():
 	g.timestamp = int(time.time())
 
 	#do not access session for static files
-	if request.path.startswith("/assets"): return
+	if not request.path.startswith("/assets"):
+		session.permanent = True
 
-	session.permanent = True
+		if not session.get("session_id"):
+			session["session_id"] = secrets.token_hex(16)
 
 	ua_banned, response_tuple = get_useragent_ban_response(
 		request.headers.get("User-Agent", "NoAgent"))
@@ -229,9 +231,6 @@ def before_request():
 		url = request.url.replace("http://", "https://", 1)
 		return redirect(url, code=301)
 
-	if not session.get("session_id"):
-		session["session_id"] = secrets.token_hex(16)
-
 	ua=request.headers.get("User-Agent","")
 	if "CriOS/" in ua:
 		g.system="ios/chrome"
@@ -258,6 +257,12 @@ def after_request(response):
 		print(e)
 		abort(500)
 
+	response.headers.add("Strict-Transport-Security", "max-age=31536000")
+	response.headers.add("Referrer-Policy", "same-origin")
+
+	response.headers.add("Feature-Policy", "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; vibrate 'none'; fullscreen 'none'; payment 'none';")
+	if not request.path.startswith("/embed/"): response.headers.add("X-Frame-Options", "deny")
+
 	return response