69 lines
2.3 KiB
Go
69 lines
2.3 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"runtime/debug"
|
|
|
|
"git.rpjosh.de/RPJosh/go-logger"
|
|
"github.com/justinas/nosurf"
|
|
)
|
|
|
|
func secureHeaders(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Note: This is split across multiple lines for readability. You don't
|
|
// need to do this in your own code.
|
|
w.Header().Set("Content-Security-Policy",
|
|
//"default-src 'self' localhost:*; style-src 'self' fonts.googleapis.com localhost:*; font-src fonts.gstatic.com")
|
|
"default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")
|
|
w.Header().Set("Referrer-Policy", "origin-when-cross-origin")
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
w.Header().Set("X-Frame-Options", "deny")
|
|
w.Header().Set("X-XSS-Protection", "0")
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func (app *WebApplication) logRequest(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
logger.Info("%s - %s %s %s", r.RemoteAddr, r.Proto, r.Method, r.URL.RequestURI())
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func (app *WebApplication) recoverPanic(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Create a deferred function (which will always be run in the event
|
|
// of a panic as Go unwinds the stack).
|
|
defer func() {
|
|
// Use the builtin recover function to check if there has been a
|
|
// panic or not. If there has...
|
|
if err := recover(); err != nil {
|
|
// Set a "Connection: close" header on the response.
|
|
w.Header().Set("Connection", "close")
|
|
// Call the app.serverError helper method to return a 500
|
|
// Internal Server response.
|
|
trace := fmt.Sprintf("%s\n%s", fmt.Errorf("%s", err).Error(), debug.Stack())
|
|
logger.Error(trace)
|
|
}
|
|
}()
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// Create a NoSurf middleware function which uses a customized CSRF cookie with
|
|
// the Secure, Path and HttpOnly attributes set.
|
|
func noSurf(next http.Handler) http.Handler {
|
|
csrfHandler := nosurf.New(next)
|
|
csrfHandler.SetBaseCookie(http.Cookie{
|
|
HttpOnly: true,
|
|
Path: "/",
|
|
Secure: true,
|
|
})
|
|
|
|
return csrfHandler
|
|
}
|