Fix #77 Add X-Content-Type-Options, X-XSS-Protection, X-Frame-Options headers

CHANGELOG

@@ -8,6 +8,7 @@ Revision history for Lutim
 	- Gzip static assets with Mojolicious::Plugin::GzipStatic
 	- Fix scroll-to-top when clicking on delete image
 	- Add CSP header
+	- Add X-Content-Type-Options, X-XSS-Protection, X-Frame-Options headers
 
 0.10.4 2018-05-07
 	- Fix bug in cache system that would allow someone to view an image with an incorrect decryption key

lib/Lutim.pm

@@ -27,34 +27,37 @@ sub startup {
 
     my $config = $self->plugin('Config', {
         default => {
-            provisioning      => 100,
-            provis_step       => 5,
-            length            => 8,
-            always_encrypt    => 0,
-            anti_flood_delay  => 5,
-            tweet_card_via    => '@framasky',
-            max_file_size     => 10*1024*1024,
-            https             => 0,
-            proposed_delays   => '0,1,7,30,365',
-            default_delay     => 0,
-            max_delay         => 0,
-            token_length      => 24,
-            crypto_key_length => 8,
-            thumbnail_size    => 100,
-            theme             => 'default',
-            dbtype            => 'sqlite',
-            db_path           => 'lutim.db',
-            max_files_in_zip  => 15,
-            prefix            => '/',
-            minion            => {
+            provisioning           => 100,
+            provis_step            => 5,
+            length                 => 8,
+            always_encrypt         => 0,
+            anti_flood_delay       => 5,
+            tweet_card_via         => '@framasky',
+            max_file_size          => 10*1024*1024,
+            https                  => 0,
+            proposed_delays        => '0,1,7,30,365',
+            default_delay          => 0,
+            max_delay              => 0,
+            token_length           => 24,
+            crypto_key_length      => 8,
+            thumbnail_size         => 100,
+            theme                  => 'default',
+            dbtype                 => 'sqlite',
+            db_path                => 'lutim.db',
+            max_files_in_zip       => 15,
+            prefix                 => '/',
+            minion                 => {
                 enabled => 0,
                 dbtype  => 'sqlite',
                 db_path => 'minion.db'
             },
-            cache_max_size    => 0,
-            memcached_servers => [],
-            quiet_logs        => 0,
-            disable_img_stats => 0,
+            cache_max_size         => 0,
+            memcached_servers      => [],
+            quiet_logs             => 0,
+            disable_img_stats      => 0,
+            x_frame_options        => 'DENY',
+            x_content_type_options => 'nosniff',
+            x_xss_protection       => '1; mode=block',
         }
     });
 

lib/Lutim/Plugin/Headers.pm

@@ -21,12 +21,12 @@ sub register {
         };
 
         my $frame_ancestors = '';
-        #$frame_ancestors = "'none'" if $app->config('x_frame_options') eq 'DENY';
-        #$frame_ancestors = "'self'" if $app->config('x_frame_options') eq 'SAMEORIGIN';
-        #if ($app->config('x_frame_options') =~ m#^ALLOW-FROM#) {
-        #    $frame_ancestors = $app->config('x_frame_options');
-        #    $frame_ancestors =~ s#ALLOW-FROM +##;
-        #}
+        $frame_ancestors = "'none'" if $app->config('x_frame_options') eq 'DENY';
+        $frame_ancestors = "'self'" if $app->config('x_frame_options') eq 'SAMEORIGIN';
+        if ($app->config('x_frame_options') =~ m#^ALLOW-FROM#) {
+            $frame_ancestors = $app->config('x_frame_options');
+            $frame_ancestors =~ s#ALLOW-FROM +##;
+        }
         $directives->{'frame-ancestors'} = $frame_ancestors if $frame_ancestors;
 
         $app->plugin('CSPHeader',
@@ -34,6 +34,17 @@ sub register {
             directives => $directives
         );
     }
+
+    # Add other headers
+    $app->hook(
+        before_dispatch => sub {
+            my $c = shift;
+
+            $c->res->headers->header('X-Frame-Options'        => $app->config('x_frame_options'))        if $app->config('x_frame_options');
+            $c->res->headers->header('X-Content-Type-Options' => $app->config('x_content_type_options')) if $app->config('x_content_type_options');
+            $c->res->headers->header('X-XSS-Protection'       => $app->config('x_xss_protection'))       if $app->config('x_xss_protection');
+        }
+    );
 }
 
 1;

lib/Mounter.pm

@@ -22,34 +22,37 @@ sub startup {
         {
             file    => $cfile,
             default => {
-                provisioning      => 100,
-                provis_step       => 5,
-                length            => 8,
-                always_encrypt    => 0,
-                anti_flood_delay  => 5,
-                tweet_card_via    => '@framasky',
-                max_file_size     => 10*1024*1024,
-                https             => 0,
-                proposed_delays   => '0,1,7,30,365',
-                default_delay     => 0,
-                max_delay         => 0,
-                token_length      => 24,
-                crypto_key_length => 8,
-                thumbnail_size    => 100,
-                theme             => 'default',
-                dbtype            => 'sqlite',
-                db_path           => 'lutim.db',
-                max_files_in_zip  => 15,
-                prefix            => '/',
-                minion            => {
+                provisioning           => 100,
+                provis_step            => 5,
+                length                 => 8,
+                always_encrypt         => 0,
+                anti_flood_delay       => 5,
+                tweet_card_via         => '@framasky',
+                max_file_size          => 10*1024*1024,
+                https                  => 0,
+                proposed_delays        => '0,1,7,30,365',
+                default_delay          => 0,
+                max_delay              => 0,
+                token_length           => 24,
+                crypto_key_length      => 8,
+                thumbnail_size         => 100,
+                theme                  => 'default',
+                dbtype                 => 'sqlite',
+                db_path                => 'lutim.db',
+                max_files_in_zip       => 15,
+                prefix                 => '/',
+                minion                 => {
                     enabled => 0,
                     dbtype  => 'sqlite',
                     db_path => 'minion.db'
                 },
-                cache_max_size    => 0,
-                memcached_servers => [],
-                quiet_logs        => 0,
-                disable_img_stats => 0,
+                cache_max_size         => 0,
+                memcached_servers      => [],
+                quiet_logs             => 0,
+                disable_img_stats      => 0,
+                x_frame_options        => 'DENY',
+                x_content_type_options => 'nosniff',
+                x_xss_protection       => '1; mode=block',
             }
         }
     );

lutim.conf.template

@@ -215,6 +215,27 @@
     # the default value is good for `default` theme
     #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
 
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/postgresql1.conf

@@ -159,6 +159,11 @@
     #    }
     #},
 
+    # disable counters of images
+    # set to 1 to disable counters
+    # optional, counters are enabled by default
+    #disable_img_stats => 0,
+
     # define the height of the thumbnails generated at users' will
     # this is not the height of the thumbnails send after upload,
     # we're talking about thumbnails generated when someone asked for
@@ -178,6 +183,10 @@
     # maximum size (in MB) of memory allowed for the image cache
     # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images.
     # This setting makes the cache remove oldest viewed image if the cache size is over it.
+    # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of
+    # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details
+    # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for
+    # cache is 400MB.
     # If set to 0, the cache is disabled
     # optional, default is 0
     #cache_max_size => 0,
@@ -191,6 +200,42 @@
     # optional, default is []
     #memcached_servers => [],
 
+    # enable or disable Lutim built-in logs
+    # set to 1 to disable logs
+    # optional, default is 0
+    #quiet_logs => 0,
+
+    # Content-Security-Policy header that will be sent by Lstu
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    # NB: unsafe-inline for script-src and style-src are here only because morris,
+    # the graph library used in the stats page requires it
+    # the default value is good for `default` theme
+    #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/postgresql2.conf

@@ -159,6 +159,11 @@
     #    }
     },
 
+    # disable counters of images
+    # set to 1 to disable counters
+    # optional, counters are enabled by default
+    #disable_img_stats => 0,
+
     # define the height of the thumbnails generated at users' will
     # this is not the height of the thumbnails send after upload,
     # we're talking about thumbnails generated when someone asked for
@@ -178,6 +183,10 @@
     # maximum size (in MB) of memory allowed for the image cache
     # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images.
     # This setting makes the cache remove oldest viewed image if the cache size is over it.
+    # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of
+    # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details
+    # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for
+    # cache is 400MB.
     # If set to 0, the cache is disabled
     # optional, default is 0
     #cache_max_size => 0,
@@ -191,6 +200,42 @@
     # optional, default is []
     #memcached_servers => [],
 
+    # enable or disable Lutim built-in logs
+    # set to 1 to disable logs
+    # optional, default is 0
+    #quiet_logs => 0,
+
+    # Content-Security-Policy header that will be sent by Lstu
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    # NB: unsafe-inline for script-src and style-src are here only because morris,
+    # the graph library used in the stats page requires it
+    # the default value is good for `default` theme
+    #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/postgresql3.conf

@@ -159,6 +159,11 @@
         }
     },
 
+    # disable counters of images
+    # set to 1 to disable counters
+    # optional, counters are enabled by default
+    #disable_img_stats => 0,
+
     # define the height of the thumbnails generated at users' will
     # this is not the height of the thumbnails send after upload,
     # we're talking about thumbnails generated when someone asked for
@@ -178,6 +183,10 @@
     # maximum size (in MB) of memory allowed for the image cache
     # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images.
     # This setting makes the cache remove oldest viewed image if the cache size is over it.
+    # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of
+    # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details
+    # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for
+    # cache is 400MB.
     # If set to 0, the cache is disabled
     # optional, default is 0
     #cache_max_size => 0,
@@ -191,6 +200,42 @@
     # optional, default is []
     #memcached_servers => [],
 
+    # enable or disable Lutim built-in logs
+    # set to 1 to disable logs
+    # optional, default is 0
+    #quiet_logs => 0,
+
+    # Content-Security-Policy header that will be sent by Lstu
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    # NB: unsafe-inline for script-src and style-src are here only because morris,
+    # the graph library used in the stats page requires it
+    # the default value is good for `default` theme
+    #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/sqlite1.conf

@@ -159,6 +159,11 @@
     #    }
     #},
 
+    # disable counters of images
+    # set to 1 to disable counters
+    # optional, counters are enabled by default
+    #disable_img_stats => 0,
+
     # define the height of the thumbnails generated at users' will
     # this is not the height of the thumbnails send after upload,
     # we're talking about thumbnails generated when someone asked for
@@ -178,6 +183,10 @@
     # maximum size (in MB) of memory allowed for the image cache
     # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images.
     # This setting makes the cache remove oldest viewed image if the cache size is over it.
+    # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of
+    # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details
+    # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for
+    # cache is 400MB.
     # If set to 0, the cache is disabled
     # optional, default is 0
     #cache_max_size => 0,
@@ -191,6 +200,42 @@
     # optional, default is []
     #memcached_servers => [],
 
+    # enable or disable Lutim built-in logs
+    # set to 1 to disable logs
+    # optional, default is 0
+    #quiet_logs => 0,
+
+    # Content-Security-Policy header that will be sent by Lstu
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    # NB: unsafe-inline for script-src and style-src are here only because morris,
+    # the graph library used in the stats page requires it
+    # the default value is good for `default` theme
+    #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/sqlite2.conf

@@ -159,6 +159,11 @@
     #    }
     },
 
+    # disable counters of images
+    # set to 1 to disable counters
+    # optional, counters are enabled by default
+    #disable_img_stats => 0,
+
     # define the height of the thumbnails generated at users' will
     # this is not the height of the thumbnails send after upload,
     # we're talking about thumbnails generated when someone asked for
@@ -178,6 +183,10 @@
     # maximum size (in MB) of memory allowed for the image cache
     # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images.
     # This setting makes the cache remove oldest viewed image if the cache size is over it.
+    # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of
+    # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details
+    # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for
+    # cache is 400MB.
     # If set to 0, the cache is disabled
     # optional, default is 0
     #cache_max_size => 0,
@@ -191,6 +200,42 @@
     # optional, default is []
     #memcached_servers => [],
 
+    # enable or disable Lutim built-in logs
+    # set to 1 to disable logs
+    # optional, default is 0
+    #quiet_logs => 0,
+
+    # Content-Security-Policy header that will be sent by Lstu
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    # NB: unsafe-inline for script-src and style-src are here only because morris,
+    # the graph library used in the stats page requires it
+    # the default value is good for `default` theme
+    #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/sqlite3.conf

@@ -159,6 +159,11 @@
         }
     },
 
+    # disable counters of images
+    # set to 1 to disable counters
+    # optional, counters are enabled by default
+    #disable_img_stats => 0,
+
     # define the height of the thumbnails generated at users' will
     # this is not the height of the thumbnails send after upload,
     # we're talking about thumbnails generated when someone asked for
@@ -178,6 +183,10 @@
     # maximum size (in MB) of memory allowed for the image cache
     # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images.
     # This setting makes the cache remove oldest viewed image if the cache size is over it.
+    # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of
+    # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details
+    # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for
+    # cache is 400MB.
     # If set to 0, the cache is disabled
     # optional, default is 0
     #cache_max_size => 0,
@@ -191,6 +200,42 @@
     # optional, default is []
     #memcached_servers => [],
 
+    # enable or disable Lutim built-in logs
+    # set to 1 to disable logs
+    # optional, default is 0
+    #quiet_logs => 0,
+
+    # Content-Security-Policy header that will be sent by Lstu
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    # NB: unsafe-inline for script-src and style-src are here only because morris,
+    # the graph library used in the stats page requires it
+    # the default value is good for `default` theme
+    #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+
+    # X-Frame-Options header that will be sent by Lstu
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lstu
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     ##########################
     # Lutim cron jobs settings
     ##########################

t/test.t

@@ -26,33 +26,36 @@ BEGIN {
         {
             file    => $cfile->to_abs->to_string,
             default => {
-                provisioning      => 100,
-                provis_step       => 5,
-                length            => 8,
-                always_encrypt    => 0,
-                anti_flood_delay  => 5,
-                tweet_card_via    => '@framasky',
-                max_file_size     => 10*1024*1024,
-                https             => 0,
-                proposed_delays   => '0,1,7,30,365',
-                default_delay     => 0,
-                max_delay         => 0,
-                token_length      => 24,
-                crypto_key_length => 8,
-                thumbnail_size    => 100,
-                theme             => 'default',
-                dbtype            => 'sqlite',
-                db_path           => 'lutim.db',
-                max_files_in_zip  => 15,
-                prefix            => '/',
-                minion            => {
+                provisioning           => 100,
+                provis_step            => 5,
+                length                 => 8,
+                always_encrypt         => 0,
+                anti_flood_delay       => 5,
+                max_file_size          => 10*1024*1024,
+                https                  => 0,
+                proposed_delays        => '0,1,7,30,365',
+                default_delay          => 0,
+                max_delay              => 0,
+                token_length           => 24,
+                crypto_key_length      => 8,
+                thumbnail_size         => 100,
+                theme                  => 'default',
+                dbtype                 => 'sqlite',
+                db_path                => 'lutim.db',
+                max_files_in_zip       => 15,
+                prefix                 => '/',
+                minion                 => {
                     enabled => 0,
                     dbtype  => 'sqlite',
                     db_path => 'minion.db'
                 },
-                cache_max_size    => 0,
-                quiet_logs        => 0,
-                disable_img_stats => 0,
+                cache_max_size         => 0,
+                memcached_servers      => [],
+                quiet_logs             => 0,
+                disable_img_stats      => 0,
+                x_frame_options        => 'DENY',
+                x_content_type_options => 'nosniff',
+                x_xss_protection       => '1; mode=block',
             }
         }
     );
@@ -64,7 +67,10 @@ my $t = Test::Mojo->new('Lutim');
 $t->get_ok('/')
   ->status_is(200)
   ->content_like(qr/Let's Upload That IMage/i)
-  ->header_is('Content-Security-Policy' => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
+  ->header_is('Content-Security-Policy' => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")
+  ->header_is('X-Frame-Options' => 'DENY')
+  ->header_is('X-XSS-Protection' => '1; mode=block')
+  ->header_is('X-Content-Type-Options' => 'nosniff');
 
 # Gzip static assets
 $t->get_ok('/css/lutim.css')

themes/default/lib/Lutim/I18N/lutim.pot

@@ -32,11 +32,11 @@ msgstr ""
 msgid "-or-"
 msgstr ""
 
-#: lib/Lutim.pm:217 lib/Lutim/Command/cron/stats.pm:151 lib/Lutim/Command/cron/stats.pm:165 lib/Lutim/Command/cron/stats.pm:182 themes/default/templates/index.html.ep:5 themes/default/templates/partial/raw.js.ep:25 themes/default/templates/partial/raw.js.ep:8 themes/default/templates/raw.html.ep:10
+#: lib/Lutim.pm:220 lib/Lutim/Command/cron/stats.pm:151 lib/Lutim/Command/cron/stats.pm:165 lib/Lutim/Command/cron/stats.pm:182 themes/default/templates/index.html.ep:5 themes/default/templates/partial/raw.js.ep:25 themes/default/templates/partial/raw.js.ep:8 themes/default/templates/raw.html.ep:10
 msgid "1 year"
 msgstr ""
 
-#: lib/Lutim.pm:216 lib/Lutim/Command/cron/stats.pm:148 lib/Lutim/Command/cron/stats.pm:162 lib/Lutim/Command/cron/stats.pm:179 themes/default/templates/index.html.ep:4 themes/default/templates/partial/for_my_delay.html.ep:13 themes/default/templates/partial/lutim.js.ep:149 themes/default/templates/partial/raw.js.ep:22 themes/default/templates/partial/raw.js.ep:5 themes/default/templates/raw.html.ep:7
+#: lib/Lutim.pm:219 lib/Lutim/Command/cron/stats.pm:148 lib/Lutim/Command/cron/stats.pm:162 lib/Lutim/Command/cron/stats.pm:179 themes/default/templates/index.html.ep:4 themes/default/templates/partial/for_my_delay.html.ep:13 themes/default/templates/partial/lutim.js.ep:149 themes/default/templates/partial/raw.js.ep:22 themes/default/templates/partial/raw.js.ep:5 themes/default/templates/raw.html.ep:7
 msgid "24 hours"
 msgstr ""
 
@@ -503,7 +503,7 @@ msgstr ""
 msgid "core developer"
 msgstr ""
 
-#: lib/Lutim.pm:215 lib/Lutim/Command/cron/stats.pm:147 lib/Lutim/Command/cron/stats.pm:161 lib/Lutim/Command/cron/stats.pm:178 themes/default/templates/index.html.ep:3 themes/default/templates/partial/raw.js.ep:21 themes/default/templates/partial/raw.js.ep:4 themes/default/templates/raw.html.ep:6
+#: lib/Lutim.pm:218 lib/Lutim/Command/cron/stats.pm:147 lib/Lutim/Command/cron/stats.pm:161 lib/Lutim/Command/cron/stats.pm:178 themes/default/templates/index.html.ep:3 themes/default/templates/partial/raw.js.ep:21 themes/default/templates/partial/raw.js.ep:4 themes/default/templates/raw.html.ep:6
 msgid "no time limit"
 msgstr ""