From 02e7c7e824ff6902c6c3b06eb7cdea74c926132b Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 30 Dec 2022 10:35:13 +0100
Subject: [PATCH] Add Referrer-Policy and X-Content-Type-Options headers

---
 webserver/webserver.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/webserver/webserver.go b/webserver/webserver.go
index 4330cda..c8b9236 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -103,6 +103,12 @@ func cspHeader(w http.ResponseWriter, connect string) {
 	}
 	w.Header().Add("Content-Security-Policy",
 		c+" img-src data: 'self'; media-src blob: 'self'; default-src 'self'")
+
+	// Make browser stop sending referrer information
+	w.Header().Add("Referrer-Policy", "no-referrer")
+
+	// Require correct MIME type to load CSS and JS
+	w.Header().Add("X-Content-Type-Options", "nosniff")
 }
 
 func notFound(w http.ResponseWriter) {