feat(security): #314 include all proposed security headers
This commit is contained in:
@@ -3,14 +3,11 @@ package middleware
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"me-fit/log"
|
||||
)
|
||||
|
||||
func CacheControl(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
path := r.URL.Path
|
||||
log.Info("path: %v", path)
|
||||
|
||||
cached := false
|
||||
if strings.HasPrefix(path, "/static") {
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
package middleware
|
||||
|
||||
import "net/http"
|
||||
|
||||
func ContentSecurityPolicy(next http.Handler) http.Handler {
|
||||
|
||||
values := map[string]string{
|
||||
"default-src": "'none'",
|
||||
"script-src": "'self' https://umami.me-fit.eu",
|
||||
"connect-src": "'self' https://umami.me-fit.eu",
|
||||
"img-src": "'self'",
|
||||
"style-src": "'self'",
|
||||
"form-action": "'self'",
|
||||
"frame-ancestors": "'none'",
|
||||
}
|
||||
|
||||
var headerValue string
|
||||
for key, value := range values {
|
||||
headerValue += key + " " + value + "; "
|
||||
}
|
||||
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// While this value can be overridden, it can't be moved to after the next.ServeHTTP call,
|
||||
// because if the response writer get's closed, the headers can't be set anymore
|
||||
w.Header().Set("Content-Security-Policy", headerValue)
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func Coop(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func Corp(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"me-fit/types"
|
||||
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func Cors(serverSettings *types.Settings) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
|
||||
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
|
||||
|
||||
if r.Method == "OPTIONS" {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
46
handler/middleware/security_headers.go
Normal file
46
handler/middleware/security_headers.go
Normal file
@@ -0,0 +1,46 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"me-fit/types"
|
||||
)
|
||||
|
||||
func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Handler {
|
||||
cspValues := map[string]string{
|
||||
"default-src": "'none'",
|
||||
"script-src": "'self' https://umami.me-fit.eu",
|
||||
"connect-src": "'self' https://umami.me-fit.eu",
|
||||
"img-src": "'self'",
|
||||
"style-src": "'self'",
|
||||
"form-action": "'self'",
|
||||
"frame-ancestors": "'none'",
|
||||
}
|
||||
|
||||
var csp string
|
||||
for key, value := range cspValues {
|
||||
csp += key + " " + value + "; "
|
||||
}
|
||||
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
|
||||
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
|
||||
w.Header().Set("Content-Security-Policy", csp)
|
||||
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
|
||||
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
|
||||
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
|
||||
w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=()")
|
||||
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||
w.Header().Set("Permissions-Policy", "interest-cohort=()")
|
||||
|
||||
if r.Method == "OPTIONS" {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -23,6 +23,7 @@ func NewRender(settings *types.Settings) *Render {
|
||||
}
|
||||
|
||||
func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) {
|
||||
w.Header().Set("Content-Type", "text/html")
|
||||
err := comp.Render(r.Context(), w)
|
||||
if err != nil {
|
||||
log.Error("Failed to render layout: %v", err)
|
||||
|
||||
5
main.go
5
main.go
@@ -129,11 +129,8 @@ func createHandler(d *sql.DB, serverSettings *types.Settings) http.Handler {
|
||||
router,
|
||||
middleware.Log,
|
||||
middleware.CacheControl,
|
||||
middleware.ContentSecurityPolicy,
|
||||
middleware.Cors(serverSettings),
|
||||
middleware.SecurityHeaders(serverSettings),
|
||||
middleware.Authenticate(authService),
|
||||
middleware.CrossSiteRequestForgery(authService),
|
||||
middleware.Corp,
|
||||
middleware.Coop,
|
||||
)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user