From 5fb68b459c1aa48f3d3518b4a23b953d1e2c4103 Mon Sep 17 00:00:00 2001
From: Johannes Keyser <johanneskeyser@posteo.de>
Date: Sun, 5 Nov 2017 11:38:59 +0100
Subject: [PATCH] Enable django SecurityMiddleware, mitigates issue #1111.

Signed-off-by: Johannes Keyser <johanneskeyser@posteo.de>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
---
 plinth/__main__.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/plinth/__main__.py b/plinth/__main__.py
index 07ca19905..a140c43b4 100644
--- a/plinth/__main__.py
+++ b/plinth/__main__.py
@@ -262,6 +262,7 @@ def configure_django():
         LOGIN_REDIRECT_URL='index',
         MESSAGE_TAGS={message_constants.ERROR: 'danger'},
         MIDDLEWARE_CLASSES=(
+            'django.middleware.security.SecurityMiddleware',
             'django.contrib.sessions.middleware.SessionMiddleware',
             'django.middleware.locale.LocaleMiddleware',
             'django.middleware.common.CommonMiddleware',
@@ -276,6 +277,8 @@ def configure_django():
             'plinth.middleware.SetupMiddleware',
         ),
         ROOT_URLCONF='plinth.urls',
+        SECURE_BROWSER_XSS_FILTER=True,
+        SECURE_CONTENT_TYPE_NOSNIFF=True,
         SECURE_PROXY_SSL_HEADER=secure_proxy_ssl_header,
         SESSION_ENGINE='django.contrib.sessions.backends.file',
         SESSION_FILE_PATH=sessions_directory,