x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

feat(security): #278 update csp directives
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 39s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 45s
Details

Browse Source
This commit was merged in pull request #279.
This commit is contained in:
Tim Wundenberg
2024-11-23 21:50:49 +01:00
parent d752de0447
commit 841c8be63d
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
middleware/content_security_policiy.go
View File

@@ -4,10 +4,25 @@ import "net/http"
func ContentSecurityPolicy(next http.Handler) http.Handler { func ContentSecurityPolicy(next http.Handler) http.Handler {
values := map[string]string{
"default-src": "'none'",
"script-src": "'self' https://umami.me-fit.eu",
"connect-src": "'self' https://umami.me-fit.eu",
"img-src": "'self'",
"style-src": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
}
var headerValue string
for key, value := range values {
headerValue += key + " " + value + "; "
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// While this value can be overridden, it can't be moved to after the next.ServeHTTP call, // While this value can be overridden, it can't be moved to after the next.ServeHTTP call,
// because if the response writer get's closed, the headers can't be set anymore // because if the response writer get's closed, the headers can't be set anymore
w.Header().Set("Content-Security-Policy", "default-src 'self' https://umami.me-fit.eu; frame-ancestors 'none'") w.Header().Set("Content-Security-Policy", headerValue)
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
}) })