x/spend-sparrow
2
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(security): #278 update csp directives

Browse Source
This commit is contained in:
Tim Wundenberg
2024-11-23 21:50:49 +01:00
parent d752de0447
commit 841c8be63d
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
middleware/content_security_policiy.go
View File

@@ -4,10 +4,25 @@ import "net/http"
func ContentSecurityPolicy(next http.Handler) http.Handler { func ContentSecurityPolicy(next http.Handler) http.Handler {
values := map[string]string{
"default-src": "'none'",
"script-src": "'self' https://umami.me-fit.eu",
"connect-src": "'self' https://umami.me-fit.eu",
"img-src": "'self'",
"style-src": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
}
var headerValue string
for key, value := range values {
headerValue += key + " " + value + "; "
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// While this value can be overridden, it can't be moved to after the next.ServeHTTP call, // While this value can be overridden, it can't be moved to after the next.ServeHTTP call,
// because if the response writer get's closed, the headers can't be set anymore // because if the response writer get's closed, the headers can't be set anymore
w.Header().Set("Content-Security-Policy", "default-src 'self' https://umami.me-fit.eu; frame-ancestors 'none'") w.Header().Set("Content-Security-Policy", headerValue)
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
}) })