Implement CSP for direct file downloads

With this header we tell the browser to ignore javascript, frames and
objects which decreases the exploitability of simple html pastes if
viewed raw ("<domain>/<id>", without a tailing slash) quite a lot.

You can still upload arbitrary files containing javascript code, but the
browser will refuse to execute it.

References: https://wiki.mozilla.org/Security/CSP/Specification

Signed-off-by: Florian Pritz <bluewind@xinu.at>

0 files changed, 0 insertions, 0 deletions