From 49edeecca01bf099337c17dcd9b44694436e2a9a Mon Sep 17 00:00:00 2001
From: Martin Mahner <martin@mahner.org>
Date: Tue, 28 May 2013 23:00:41 +0000
Subject: [PATCH] Clickjacking middleware

---
 dpaste/settings.py | 2 +-
 server/nginx.conf  | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dpaste/settings.py b/dpaste/settings.py
index bd8fa56..e709c29 100644
--- a/dpaste/settings.py
+++ b/dpaste/settings.py
@@ -89,7 +89,7 @@ MIDDLEWARE_CLASSES = (
     'dpaste.disable.DisableCSRF',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
-    #'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )
 
 TEMPLATE_CONTEXT_PROCESSORS += (
diff --git a/server/nginx.conf b/server/nginx.conf
index 28cbfc3..daadbbd 100644
--- a/server/nginx.conf
+++ b/server/nginx.conf
@@ -24,6 +24,8 @@ server {
     ssl_certificate /srv/dpaste.de/var/ssl/dpaste_de_unified.crt;
     ssl_certificate_key /srv/dpaste.de/var/ssl/dpaste_de.key;
 
+    add_header Strict-Transport-Security max-age=31536000;
+
     include /srv/dpaste.de/src/dpaste/server/nginx_server.conf;
 }
 
@@ -34,5 +36,7 @@ server {
     ssl_certificate /srv/dpaste.de/var/ssl/dpaste_org_unified.crt;
     ssl_certificate_key /srv/dpaste.de/var/ssl/dpaste_org.key;
 
+    add_header Strict-Transport-Security max-age=31536000;
+
     include /srv/dpaste.de/src/dpaste/server/nginx_server.conf;
 }