ncDocConverter/cmd/ncDocConverth/middleware.go

package main

import (
	"fmt"
	"net/http"
	"runtime/debug"

	"github.com/justinas/nosurf"
	"rpjosh.de/ncDocConverter/pkg/logger"
)

func secureHeaders(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Note: This is split across multiple lines for readability. You don't
		// need to do this in your own code.
		w.Header().Set("Content-Security-Policy",
			//"default-src 'self' localhost:*; style-src 'self' fonts.googleapis.com localhost:*; font-src fonts.gstatic.com")
			"default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")
		w.Header().Set("Referrer-Policy", "origin-when-cross-origin")
		w.Header().Set("X-Content-Type-Options", "nosniff")
		w.Header().Set("X-Frame-Options", "deny")
		w.Header().Set("X-XSS-Protection", "0")

		next.ServeHTTP(w, r)
	})
}

func (app *WebApplication) logRequest(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		logger.Info("%s - %s %s %s", r.RemoteAddr, r.Proto, r.Method, r.URL.RequestURI())

		next.ServeHTTP(w, r)
	})
}

func (app *WebApplication) recoverPanic(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Create a deferred function (which will always be run in the event
		// of a panic as Go unwinds the stack).
		defer func() {
			// Use the builtin recover function to check if there has been a
			// panic or not. If there has...
			if err := recover(); err != nil {
				// Set a "Connection: close" header on the response.
				w.Header().Set("Connection", "close")
				// Call the app.serverError helper method to return a 500
				// Internal Server response.
				trace := fmt.Sprintf("%s\n%s", fmt.Errorf("%s", err).Error(), debug.Stack())
				logger.Error(trace)
			}
		}()

		next.ServeHTTP(w, r)
	})
}

// Create a NoSurf middleware function which uses a customized CSRF cookie with
// the Secure, Path and HttpOnly attributes set.
func noSurf(next http.Handler) http.Handler {
	csrfHandler := nosurf.New(next)
	csrfHandler.SetBaseCookie(http.Cookie{
		HttpOnly: true,
		Path:     "/",
		Secure:   true,
	})

	return csrfHandler
}
Implement conversion for OnlyOffice and BoockStack 2023-01-02 10:50:37 +00:00			`package main`

			`import (`
			`"fmt"`
			`"net/http"`
			`"runtime/debug"`

			`"github.com/justinas/nosurf"`
			`"rpjosh.de/ncDocConverter/pkg/logger"`
			`)`

			`func secureHeaders(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Note: This is split across multiple lines for readability. You don't`
			`// need to do this in your own code.`
			`w.Header().Set("Content-Security-Policy",`
			`//"default-src 'self' localhost:; style-src 'self' fonts.googleapis.com localhost:; font-src fonts.gstatic.com")`
			`"default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src ; style-src 'unsafe-inline';")`
			`w.Header().Set("Referrer-Policy", "origin-when-cross-origin")`
			`w.Header().Set("X-Content-Type-Options", "nosniff")`
			`w.Header().Set("X-Frame-Options", "deny")`
			`w.Header().Set("X-XSS-Protection", "0")`

			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`func (app *WebApplication) logRequest(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`logger.Info("%s - %s %s %s", r.RemoteAddr, r.Proto, r.Method, r.URL.RequestURI())`

			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`func (app *WebApplication) recoverPanic(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Create a deferred function (which will always be run in the event`
			`// of a panic as Go unwinds the stack).`
			`defer func() {`
			`// Use the builtin recover function to check if there has been a`
			`// panic or not. If there has...`
			`if err := recover(); err != nil {`
			`// Set a "Connection: close" header on the response.`
			`w.Header().Set("Connection", "close")`
			`// Call the app.serverError helper method to return a 500`
			`// Internal Server response.`
			`trace := fmt.Sprintf("%s\n%s", fmt.Errorf("%s", err).Error(), debug.Stack())`
			`logger.Error(trace)`
			`}`
			`}()`

			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`// Create a NoSurf middleware function which uses a customized CSRF cookie with`
			`// the Secure, Path and HttpOnly attributes set.`
			`func noSurf(next http.Handler) http.Handler {`
			`csrfHandler := nosurf.New(next)`
			`csrfHandler.SetBaseCookie(http.Cookie{`
			`HttpOnly: true,`
			`Path: "/",`
			`Secure: true,`
			`})`

			`return csrfHandler`
			`}`