From 5b930d07fc5856e37e299b581bc015aeb49b8602 Mon Sep 17 00:00:00 2001
From: Fabian Weisshaar <elnappo@nerdpol.io>
Date: Sat, 29 Dec 2018 20:24:41 +0100
Subject: [PATCH] Add X-XSS-Protection and X-Content-Type-Option HTTP Header

---
 src/nsupdate/settings/base.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/nsupdate/settings/base.py b/src/nsupdate/settings/base.py
index 84ee44c..4565c71 100644
--- a/src/nsupdate/settings/base.py
+++ b/src/nsupdate/settings/base.py
@@ -171,6 +171,7 @@ MIDDLEWARE = (
     'django.contrib.messages.middleware.MessageMiddleware',
     'social_django.middleware.SocialAuthExceptionMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
 )
 
 ROOT_URLCONF = 'nsupdate.urls'
@@ -272,6 +273,8 @@ LOGIN_REDIRECT_URL = '/overview/'
 LOGOUT_REDIRECT_URL = '/'
 
 X_FRAME_OPTIONS = 'DENY'  # for clickjacking middleware
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
 
 CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view'