From cec48743fb7663f209a328c2bc80b8c3eebc47dc Mon Sep 17 00:00:00 2001
From: Andrew Dunham <andrew@du.nham.ca>
Date: Thu, 17 Nov 2022 09:24:21 -0500
Subject: [PATCH] ipn/localapi: set security headers

Change-Id: I028b6ab91229e2f824e5a69856ca9e1844f7486e
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
---
 ipn/localapi/localapi.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index 31f9b363d..db59c777d 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -143,6 +143,9 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	w.Header().Set("Tailscale-Version", version.Long)
+	w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'`)
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	if h.RequiredPassword != "" {
 		_, pass, ok := r.BasicAuth()
 		if !ok {