x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(test): add test for cache control and security headers
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 43s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 49s
Details

Browse Source
This commit was merged in pull request #334.
This commit is contained in:
Tim Wundenberg
2024-12-16 22:51:23 +01:00
parent 9bb603970d
commit 23aa3d4b0e
4 changed files with 89 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
handler/middleware/cross_site_request_forgery.go
View File

@@ -2,11 +2,10 @@ package middleware
import (
"fmt"
"net/http"
"strings"
"me-fit/service"
"net/http"
)
type csrfResponseWriter struct {

4
handler/middleware/logger.go
View File

@@ -1,12 +1,12 @@
package middleware
import (
"me-fit/log"
"net/http"
"strconv"
"time"
"me-fit/log"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promauto"
)

27
handler/middleware/security_headers.go
View File

@@ -7,33 +7,26 @@ import (
)
func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Handler {
cspValues := map[string]string{
"default-src": "'none'",
"script-src": "'self' https://umami.me-fit.eu",
"connect-src": "'self' https://umami.me-fit.eu",
"img-src": "'self'",
"style-src": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
}
var csp string
for key, value := range cspValues {
csp += key + " " + value + "; "
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
w.Header().Set("Content-Security-Policy", csp)
w.Header().Set("Content-Security-Policy",
"default-src 'none';"+
"script-src 'self' https://umami.me-fit.eu"+
"connect-src 'self' https://umami.me-fit.eu"+
"img-src 'self'"+
"style-src 'self'"+
"form-action 'self'"+
"frame-ancestors 'none'",
)
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=()")
w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=(), interest-cohort=()")
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
w.Header().Set("Permissions-Policy", "interest-cohort=()")
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
if r.Method == "OPTIONS" {