Add some security headers

.gitignore

@@ -4,10 +4,13 @@ node_modules
 
 # Personalisation stuff
 /src/site/pug/privacy.pug
+/src/site/pug/announcements
 
 # Database stuff
 db/**/*.db*
 users_export.json
+*.log
+*.csv
 
 # Test stuff
 /coverage

src/site/html/static/js/settings_message.js

@@ -0,0 +1,6 @@
+const params = new URLSearchParams(window.location.search)
+if (params.has("status")) {
+	params.delete("status")
+	params.delete("message")
+	history.replaceState(null, "", "?" + params.toString())
+}

src/site/pug/home.pug

@@ -51,14 +51,14 @@ html
 				ul
 					-
 						const links = [
-							["https://github.com/cloudrac3r/bibliogram", "GitHub repository"],
+							["https://github.com/cloudrac3r/bibliogram", "GitHub repository", "noopener"],
 							["https://matrix.to/#/#bibliogram:matrix.org", "Discussion room on Matrix"],
-							["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances"],
+							["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances", "noopener"],
 							["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project roadmap"],
 							["https://cadence.moe/about/contact", "Contact the developer"]
 						]
 					each entry in links
-						li: a(href!=entry[0] target="_blank" rel="noopener noreferrer")= entry[1]
+						li: a(href!=entry[0] target="_blank" rel=(entry[2] || "noopener noreferrer"))= entry[1]
 
 				if constants.featured_profiles.length
 					.featured-profiles#featured-profiles

src/site/pug/settings.pug

@@ -33,11 +33,7 @@ html
 	body.settings-page
 		if status && message
 			.status-notice(class=status)= message
-			script.
+			script(src=getStaticURL("html", "/static/js/settings_message.js") type="module")
-				const params = new URLSearchParams(window.location.search)
-				params.delete("status")
-				params.delete("message")
-				history.replaceState(null, "", "?" + params.toString())
 		main.settings
 			form(action=returnAction method="post" enctype="application/x-www-form-urlencoded")
 				input(type="hidden" name="csrf" value=csrf)

src/site/server.js

@@ -4,6 +4,11 @@ const constants = require("../lib/constants")
 
 const passthrough = require("./passthrough")
 
+const deniedFeatures = [
+	"accelerometer", "ambient-light-sensor", "battery", "camera", "display-capture", "document-domain", "geolocation", "gyroscope",
+	"magnetometer", "microphone", "midi", "payment", "publickey-credentials-get", "sync-xhr", "usb", "xr-spatial-tracking"
+]
+
 const pinski = new Pinski({
 	port: +process.env.PORT || constants.port,
 	ip: constants.bind_ip,
@@ -12,6 +17,12 @@ const pinski = new Pinski({
 		exts: ["ttf", "woff2", "png", "jpg", "jpeg", "svg", "gif", "webmanifest", "ico"],
 		seconds: 604800
 	},
+	globalHeaders: {
+		"Content-Security-Policy": "default-src 'self'; frame-ancestors 'none'; block-all-mixed-content",
+		"Feature-Policy": deniedFeatures.map(feature => `${feature} 'none'`).join("; "),
+		"Referrer-Policy": "origin",
+		"X-Content-Type-Options": "nosniff"
+	}
 })
 
 subdirs("pug", async (err, dirs) => {