Set basic HTTP security headers on status pages served from backend

We should already escape everything printed on these pages, but as part
of a defense in depth strategy we use a restrictive set of HTTP security
headers to minimize the impact in the case of a regression or bug.

1 files changed, 6 insertions, 0 deletions

diff --git a/staging_vespalib/src/tests/state_server/state_server_test.cpp b/staging_vespalib/src/tests/state_server/state_server_test.cpp
index 6c7397a1719..e61d3d216cd 100644
--- a/staging_vespalib/src/tests/state_server/state_server_test.cpp
+++ b/staging_vespalib/src/tests/state_server/state_server_test.cpp
@@ -87,6 +87,12 @@ TEST_FF("require that non-empty known url returns expected headers", DummyHandle
                             "Connection: close\r\n"
                             "Content-Type: application/json\r\n"
                             "Content-Length: 5\r\n"
+                            "X-XSS-Protection: 1; mode=block\r\n"
+                            "X-Frame-Options: DENY\r\n"
+                            "Content-Security-Policy: default-src 'none'\r\n"
+                            "X-Content-Type-Options: nosniff\r\n"
+                            "Cache-Control: no-store\r\n"
+                            "Pragma: no-cache\r\n"
                             "\r\n"
                             "[123]");
     std::string actual = getFull(f2.port(), my_path);