x/spend-sparrow
2
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(security): #314 include all proposed security headers

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-12 21:37:23 +01:00
parent 60fe2789cc
commit 1ad694ce2b
8 changed files with 48 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
handler/middleware/cache_control.go
View File

@@ -3,14 +3,11 @@ package middleware
import ( import (
"net/http" "net/http"
"strings" "strings"
"me-fit/log"
) )
func CacheControl(next http.Handler) http.Handler { func CacheControl(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
path := r.URL.Path path := r.URL.Path
log.Info("path: %v", path)
cached := false cached := false
if strings.HasPrefix(path, "/static") { if strings.HasPrefix(path, "/static") {

29
handler/middleware/content_security_policiy.go
View File

@@ -1,29 +0,0 @@
package middleware
import "net/http"
func ContentSecurityPolicy(next http.Handler) http.Handler {
values := map[string]string{
"default-src": "'none'",
"script-src": "'self' https://umami.me-fit.eu",
"connect-src": "'self' https://umami.me-fit.eu",
"img-src": "'self'",
"style-src": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
}
var headerValue string
for key, value := range values {
headerValue += key + " " + value + "; "
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// While this value can be overridden, it can't be moved to after the next.ServeHTTP call,
// because if the response writer get's closed, the headers can't be set anymore
w.Header().Set("Content-Security-Policy", headerValue)
next.ServeHTTP(w, r)
})
}

13
handler/middleware/coop.go
View File

@@ -1,13 +0,0 @@
package middleware
import (
"net/http"
)
func Coop(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
next.ServeHTTP(w, r)
})
}

13
handler/middleware/corp.go
View File

@@ -1,13 +0,0 @@
package middleware
import (
"net/http"
)
func Corp(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
next.ServeHTTP(w, r)
})
}

23
handler/middleware/cors.go
View File

@@ -1,23 +0,0 @@
package middleware
import (
"me-fit/types"
"net/http"
)
func Cors(serverSettings *types.Settings) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK)
return
}
next.ServeHTTP(w, r)
})
}
}

46
handler/middleware/security_headers.go Normal file
View File

@@ -0,0 +1,46 @@
package middleware
import (
"net/http"
"me-fit/types"
)
func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Handler {
cspValues := map[string]string{
"default-src": "'none'",
"script-src": "'self' https://umami.me-fit.eu",
"connect-src": "'self' https://umami.me-fit.eu",
"img-src": "'self'",
"style-src": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
}
var csp string
for key, value := range cspValues {
csp += key + " " + value + "; "
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
w.Header().Set("Content-Security-Policy", csp)
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=()")
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
w.Header().Set("Permissions-Policy", "interest-cohort=()")
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK)
return
}
next.ServeHTTP(w, r)
})
}
}

1
handler/render.go
View File

@@ -23,6 +23,7 @@ func NewRender(settings *types.Settings) *Render {
} }
func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) { func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) {
w.Header().Set("Content-Type", "text/html")
err := comp.Render(r.Context(), w) err := comp.Render(r.Context(), w)
if err != nil { if err != nil {
log.Error("Failed to render layout: %v", err) log.Error("Failed to render layout: %v", err)

5
main.go
View File

@@ -129,11 +129,8 @@ func createHandler(d *sql.DB, serverSettings *types.Settings) http.Handler {
router, router,
middleware.Log, middleware.Log,
middleware.CacheControl, middleware.CacheControl,
middleware.ContentSecurityPolicy, middleware.SecurityHeaders(serverSettings),
middleware.Cors(serverSettings),
middleware.Authenticate(authService), middleware.Authenticate(authService),
middleware.CrossSiteRequestForgery(authService), middleware.CrossSiteRequestForgery(authService),
middleware.Corp,
middleware.Coop,
) )
} }