authelia/internal/middlewares/headers.go

package middlewares

import (
	"github.com/valyala/fasthttp"
)

// SecurityHeaders middleware adds several modern recommended security headers with safe values.
func SecurityHeaders(next fasthttp.RequestHandler) fasthttp.RequestHandler {
	return func(ctx *fasthttp.RequestCtx) {
		ctx.Response.Header.SetBytesKV(headerXContentTypeOptions, headerValueNoSniff)
		ctx.Response.Header.SetBytesKV(headerReferrerPolicy, headerValueStrictOriginCrossOrigin)
		ctx.Response.Header.SetBytesKV(headerPermissionsPolicy, headerValueCohort)
		ctx.Response.Header.SetBytesKV(headerXFrameOptions, headerValueSameOrigin)
		ctx.Response.Header.SetBytesKV(headerXXSSProtection, headerValueXSSModeBlock)

		next(ctx)
	}
}

// SecurityHeadersCSPNone middleware adds the Content-Security-Policy header with the value "default-src 'none';".
func SecurityHeadersCSPNone(next fasthttp.RequestHandler) fasthttp.RequestHandler {
	return func(ctx *fasthttp.RequestCtx) {
		ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNone)

		next(ctx)
	}
}

// SecurityHeadersCSPNoneOpenIDConnect middleware adds the Content-Security-Policy header with the value
// "default-src 'none'" except in special circumstances.
func SecurityHeadersCSPNoneOpenIDConnect(next fasthttp.RequestHandler) fasthttp.RequestHandler {
	return func(ctx *fasthttp.RequestCtx) {
		ctx.SetUserValueBytes(UserValueKeyFormPost, false)

		next(ctx)

		if modeFormPost, ok := ctx.UserValueBytes(UserValueKeyFormPost).(bool); ok && modeFormPost {
			ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNoneFormPost)
		} else {
			ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNone)
		}
	}
}

// SecurityHeadersNoStore middleware adds the Pragma no-cache and Cache-Control no-store headers.
func SecurityHeadersNoStore(next fasthttp.RequestHandler) fasthttp.RequestHandler {
	return func(ctx *fasthttp.RequestCtx) {
		ctx.Response.Header.SetBytesKV(headerPragma, headerValueNoCache)
		ctx.Response.Header.SetBytesKV(headerCacheControl, headerValueNoStore)

		next(ctx)
	}
}
fix(server): missing modern security headers (#3288) This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc. 2022-05-03 02:19:30 +00:00			`package middlewares`

			`import (`
			`"github.com/valyala/fasthttp"`
			`)`

			`// SecurityHeaders middleware adds several modern recommended security headers with safe values.`
			`func SecurityHeaders(next fasthttp.RequestHandler) fasthttp.RequestHandler {`
			`return func(ctx *fasthttp.RequestCtx) {`
			`ctx.Response.Header.SetBytesKV(headerXContentTypeOptions, headerValueNoSniff)`
			`ctx.Response.Header.SetBytesKV(headerReferrerPolicy, headerValueStrictOriginCrossOrigin)`
			`ctx.Response.Header.SetBytesKV(headerPermissionsPolicy, headerValueCohort)`
fix(server): missing cache and xss headers (#3289) Addresses documentation and a couple of headers which were missed. 2022-05-04 04:47:23 +00:00			`ctx.Response.Header.SetBytesKV(headerXFrameOptions, headerValueSameOrigin)`
			`ctx.Response.Header.SetBytesKV(headerXXSSProtection, headerValueXSSModeBlock)`

			`next(ctx)`
			`}`
			`}`

			`// SecurityHeadersCSPNone middleware adds the Content-Security-Policy header with the value "default-src 'none';".`
			`func SecurityHeadersCSPNone(next fasthttp.RequestHandler) fasthttp.RequestHandler {`
			`return func(ctx *fasthttp.RequestCtx) {`
			`ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNone)`

			`next(ctx)`
			`}`
			`}`

fix(oidc): csp blocks form_post response form submit (#4719) This fixes an issue where the form_post response never gets submitted. Fixes #4669 2023-01-07 20:04:06 +00:00			`// SecurityHeadersCSPNoneOpenIDConnect middleware adds the Content-Security-Policy header with the value`
			`// "default-src 'none'" except in special circumstances.`
			`func SecurityHeadersCSPNoneOpenIDConnect(next fasthttp.RequestHandler) fasthttp.RequestHandler {`
			`return func(ctx *fasthttp.RequestCtx) {`
			`ctx.SetUserValueBytes(UserValueKeyFormPost, false)`

			`next(ctx)`

			`if modeFormPost, ok := ctx.UserValueBytes(UserValueKeyFormPost).(bool); ok && modeFormPost {`
			`ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNoneFormPost)`
			`} else {`
			`ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNone)`
			`}`
			`}`
			`}`

fix(server): missing cache and xss headers (#3289) Addresses documentation and a couple of headers which were missed. 2022-05-04 04:47:23 +00:00			`// SecurityHeadersNoStore middleware adds the Pragma no-cache and Cache-Control no-store headers.`
			`func SecurityHeadersNoStore(next fasthttp.RequestHandler) fasthttp.RequestHandler {`
			`return func(ctx *fasthttp.RequestCtx) {`
			`ctx.Response.Header.SetBytesKV(headerPragma, headerValueNoCache)`
			`ctx.Response.Header.SetBytesKV(headerCacheControl, headerValueNoStore)`
fix(server): missing modern security headers (#3288) This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc. 2022-05-03 02:19:30 +00:00
			`next(ctx)`
			`}`
			`}`