From 2124f5e9c9d22085d4b4af4567db1b6621588ec1 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Sat, 16 Aug 2025 03:14:10 +0000
Subject: [PATCH] fix: mitigate XSS vulnerability by sending plain text and
 setting CSP headers

---
 http/index.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/http/index.js b/http/index.js
index 1577130..977ceb0 100644
--- a/http/index.js
+++ b/http/index.js
@@ -47,7 +47,9 @@ app.get('/fetch', async (req, res) => {
   }
 
     const resp = await axios.get(url);
-    res.send(resp.data);
+    // Mitigate XSS: send fetched content as plain text and enforce strict CSP
+    res.set('Content-Security-Policy', "default-src 'none'; script-src 'none'; object-src 'none';");
+    res.type('text/plain').send(resp.data);
   } catch (e) {
     res.status(500).send(e.message);
   }