From 3d2da43207ee963cb813dfba3a338b9d9c918319 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Wed, 18 Dec 2019 12:03:56 +0100
Subject: Add a default CSP

Disallows loading external ressources. Providers can override it with
their reverse proxy settings.
---
 server.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/server.go b/server.go
index ab42684..df48303 100644
--- a/server.go
+++ b/server.go
@@ -166,6 +166,13 @@ func New(e *echo.Echo, options *Options) error {
 		c.String(code, err.Error())
 	}
 
+	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(ectx echo.Context) error {
+			ectx.Response().Header().Set("Content-Security-Policy", "default-src 'self'")
+			return next(ectx)
+		}
+	})
+
 	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(ectx echo.Context) error {
 			ctx := &Context{Context: ectx, Server: s}
-- 
cgit v1.2.3-59-g8ed1b