Send security headers for ALL pages. Set autocomplete=off for storage…

… page

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 1.18.3 (2017-11-16)
+
+  ### Minor fixes
+
+  * [html] Ensure HTTPS security headers are sent for downloads and HTML/404 pages
+  * [dashboard] Set `autocomplete=off` on storage page
+
 ## 1.18.2 (2017-11-02)
 
   ### Regression fixes

api/v1/core/helpers.l

@@ -102,6 +102,28 @@
 (de http404 ()
   (http-msg 404) )
 
+(undef 'http1)
+
+(de http1 (Typ Upd File Att)
+   (prinl "HTTP/1." *Http1 " 200 OK^M")
+   (prinl "Server: PicoLisp^M")
+   (prin "Date: ")
+   (httpDate (date T) (time T))
+   (when Upd
+      (prinl "Cache-Control: max-age=" Upd "^M")
+      (when (=0 Upd)
+         (prinl "Cache-Control: private, no-store, no-cache^M") ) )
+   (prinl "Content-Type: " (or Typ "text/html; charset=utf-8") "^M")
+   (when File
+      (prinl
+         "Content-Disposition: "
+         (if Att "attachment" "inline")
+         "; filename=\"" File "\"^M" ) )
+    (prinl "Strict-Transport-Security: max-age=31536000 ; includeSubDomains")
+    (prinl "X-Frame-Options: deny")
+    (prinl "X-XSS-Protection: 1")
+    (prinl "X-Content-Type-Options: nosniff") )
+
 # Extensions for json.l (32-bit only)
 [unless *CPU
   (de encode (Value)

docs/API.md

@@ -1652,4 +1652,4 @@ Content-Type: application/json
 
 ----
 
-Powered by Jidoteki.com - v1.18.2 - [Copyright notices](/docs/NOTICE.TXT)
+Powered by Jidoteki.com - v1.18.3 - [Copyright notices](/docs/NOTICE.TXT)

index.html

@@ -366,7 +366,7 @@ <h3 class="panel-title"><i class="fa icon-database"></i> Storage settings</h3>
               <h4>Select Storage type and configure Settings for persistent data.</h4><br>
               <div class="alert alert-info">All form fields are required</div>
               <div class="row">
-                <form role="form" class="storage-form">
+                <form role="form" autocomplete="off" class="storage-form">
                   <fieldset>
                     <div class="col-lg-12 col-md-12 col-sm-12">
                       <div class="form-group">
@@ -765,7 +765,7 @@ <h1><i style="font-size:2em;" class="fa icon-attention text-warning"></i>
     <script src="docs/jsrrdgraph/strftime.js"></script>
     <script src="docs/jsrrdgraph/draw.js"></script>
     <script src="docs/ui.min.js"></script>
-    <div style="margin-bottom:0;margin-top:3em;position:relative;bottom:0px;width:100%;" class="well text-right text-muted jido-smalltext">Powered by Jidoteki.com - v1.18.2 - <a href="/docs/NOTICE.TXT">Copyright notices</a></div>
+    <div style="margin-bottom:0;margin-top:3em;position:relative;bottom:0px;width:100%;" class="well text-right text-muted jido-smalltext">Powered by Jidoteki.com - v1.18.3 - <a href="/docs/NOTICE.TXT">Copyright notices</a></div>
     <!-- This Source Code Form is subject to the terms of the Mozilla Public-->
     <!-- License, v. 2.0. If a copy of the MPL was not distributed with this-->
     <!-- file, You can obtain one at http://mozilla.org/MPL/2.0/.-->

module.l

@@ -1,6 +1,6 @@
 [de MODULE_INFO
   ("name"       "jidoteki-admin-api")
-  ("version"    "1.18.2")
+  ("version"    "1.18.3")
   ("summary"    "Jidoteki Admin API")
   ("source"     "https://jidoteki.com")
   ("author"     "Alexander Williams")

ui/body-storage.jade

@@ -129,7 +129,7 @@ mixin helpNBD()
           .alert.alert-info
             | All form fields are required
           .row
-            form.storage-form(role='form')
+            form.storage-form(role='form', autocomplete='off')
               fieldset
                 .col-lg-12.col-md-12.col-sm-12
                   .form-group

ui/footer.jade

@@ -26,5 +26,5 @@ script(src='docs/jsrrdgraph/draw.js')
 script(src='docs/ui.min.js')
 
 .well.text-right.text-muted.jido-smalltext(style='margin-bottom:0;margin-top:3em;position:relative;bottom:0px;width:100%;')
-  | Powered by Jidoteki.com - v1.18.2 - 
+  | Powered by Jidoteki.com - v1.18.3 - 
   a(href='/docs/NOTICE.TXT') Copyright notices