photoprism/internal/server/security.go
Michael Mayer 7b96a768d5 WebDAV: Harden response headers for interoperability #5472
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-04 15:23:10 +01:00

51 lines
1.7 KiB
Go

package server
import (
"strings"
"github.com/gin-gonic/gin"
"github.com/photoprism/photoprism/internal/api"
"github.com/photoprism/photoprism/internal/config"
"github.com/photoprism/photoprism/pkg/http/header"
"github.com/photoprism/photoprism/pkg/http/proxy"
)
// Security is a middleware that adds security-related headers to the server's response.
var Security = func(conf *config.Config) gin.HandlerFunc {
proxyPathPrefix := conf.BaseUri(proxy.PathPrefix)
return func(c *gin.Context) {
if strings.HasPrefix(c.Request.URL.Path, proxyPathPrefix) {
return
}
// Only allow crawlers to index the site if it is a public demo (or if there is a public image wall):
// https://github.com/photoprism/photoprism/issues/669
if !conf.Demo() || !conf.Public() {
// Set "X-Robots-Tag" header:
// https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag#xrobotstag
c.Header(header.RobotsTag, header.RobotsNone)
}
// Abort if the request must not be served through a CDN.
if header.AbortCdnRequest(c.Request) {
api.AbortNotFound(c)
return
}
// Skip browser document headers on WebDAV endpoints to avoid
// surprising clients with UI-centric policies.
if IsWebDAVPath(c.Request.URL.Path, conf.BaseUri(WebDAVOriginals), conf.BaseUri(WebDAVImport)) {
return
}
// Set "Content-Security-Policy" header:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
c.Header(header.ContentSecurityPolicy, header.DefaultContentSecurityPolicy)
// Set "X-Frame-Options" header:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
c.Header(header.XFrameOptions, header.DefaultFrameOptions)
}
}