diff --git a/README.md b/README.md index 21bf892..2320f04 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ See the [available environment variables](#environment-variables) for additional ### F) Manual -*Note: `Content-Security-Policy` headers are already sent by Whoogle -- you don't/shouldn't need to apply a CSP header yourself* +*Note: `Content-Security-Policy` headers can be sent by Whoogle if you set `WHOOGLE_CSP`.* Clone the repo and run the following commands to start the app in a local-only environment: @@ -330,6 +330,7 @@ There are a few optional environment variables available for customizing a Whoog | WHOOGLE_ALT_MD | The medium.com alternative to use when site alternatives are enabled in the config. | | WHOOGLE_AUTOCOMPLETE | Controls visibility of autocomplete/search suggestions. Default on -- use '0' to disable | | WHOOGLE_MINIMAL | Remove everything except basic result cards from all search queries. | +| WHOOGLE_CSP | Sets a default set of 'Content-Security-Policy' headers | ### Config Environment Variables These environment variables allow setting default config values, but can be overwritten manually by using the home page config menu. These allow a shortcut for destroying/rebuilding an instance to the same config state every time. diff --git a/app/routes.py b/app/routes.py index 9f66d74..e8ac9f4 100644 --- a/app/routes.py +++ b/app/routes.py @@ -147,10 +147,11 @@ def before_request_func(): def after_request_func(resp): resp.headers['X-Content-Type-Options'] = 'nosniff' resp.headers['X-Frame-Options'] = 'DENY' - resp.headers['Content-Security-Policy'] = app.config['CSP'] - if os.environ.get('HTTPS_ONLY', False): - resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' - resp.headers['Strict-Transport-Security'] = 'max-age=63072000' + + if os.getenv('WHOOGLE_CSP', False): + resp.headers['Content-Security-Policy'] = app.config['CSP'] + if os.environ.get('HTTPS_ONLY', False): + resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' return resp diff --git a/whoogle.template.env b/whoogle.template.env index 754686c..425cef5 100644 --- a/whoogle.template.env +++ b/whoogle.template.env @@ -19,6 +19,7 @@ #WHOOGLE_PROXY_PASS="" #WHOOGLE_PROXY_TYPE="" #WHOOGLE_PROXY_LOC="" +#WHOOGLE_CSP=1 #HTTPS_ONLY=1 # Restrict results to only those near a particular city