From 49978081b0a5826bea702264a21efd901c38421c Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Wed, 10 Jul 2019 15:09:43 +0200
Subject: [PATCH] See #880: added XSS filter and content-type nosniff headers

---
 api/config/settings/common.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index 4c5df872..076177ea 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -222,6 +222,7 @@ INSTALLED_APPS = (
 # MIDDLEWARE CONFIGURATION
 # ------------------------------------------------------------------------------
 MIDDLEWARE = (
+    "django.middleware.security.SecurityMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "corsheaders.middleware.CorsMiddleware",
     "funkwhale_api.common.middleware.SPAFallbackMiddleware",
@@ -398,6 +399,8 @@ ASGI_APPLICATION = "config.routing.application"
 
 # This ensures that Django will be able to detect a secure connection
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
 
 # AUTHENTICATION CONFIGURATION
 # ------------------------------------------------------------------------------
-- 
GitLab