Add security HTTP headers (#45)
This commit is contained in:
Vic Demuzere
GitHub
parent
9ad6d468fd
commit
14b5801f37
2 changed files with 34 additions and 20 deletions
|
|
@ -41,9 +41,7 @@
|
||||||
document.addEventListener('DOMContentLoaded', () => window.refreshTheme())
|
document.addEventListener('DOMContentLoaded', () => window.refreshTheme())
|
||||||
|
|
||||||
// Template variable from Golang process
|
// Template variable from Golang process
|
||||||
{{- range $key, $value := .Vars }}
|
const version = "{{ .Version }}"
|
||||||
const {{ $key }} = "{{ $value }}"
|
|
||||||
{{- end }}
|
|
||||||
</script>
|
</script>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
|
||||||
50
main.go
50
main.go
|
|
@ -86,30 +86,46 @@ func assetDelivery(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
w.Header().Set("Content-Type", mime.TypeByExtension(ext))
|
w.Header().Set("Content-Type", mime.TypeByExtension(ext))
|
||||||
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||||
w.Write(assetData)
|
w.Write(assetData)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||||
|
cspHeader = strings.Join([]string{
|
||||||
|
"default-src 'none'",
|
||||||
|
"connect-src 'self'",
|
||||||
|
"font-src 'self'",
|
||||||
|
"img-src 'self'",
|
||||||
|
"script-src 'self' 'unsafe-inline'",
|
||||||
|
"style-src 'self' 'unsafe-inline'",
|
||||||
|
}, ";")
|
||||||
|
|
||||||
|
indexTpl *template.Template
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
source, err := assets.ReadFile("frontend/index.html")
|
||||||
|
if err != nil {
|
||||||
|
log.WithError(err).Fatal("frontend folder should contain index.html Go template")
|
||||||
|
}
|
||||||
|
indexTpl = template.Must(template.New("index.html").Funcs(tplFuncs).Parse(string(source)))
|
||||||
|
}
|
||||||
|
|
||||||
func handleIndex(w http.ResponseWriter, r *http.Request) {
|
func handleIndex(w http.ResponseWriter, r *http.Request) {
|
||||||
indexTpl, err := assets.ReadFile("frontend/index.html")
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
if err != nil {
|
w.Header().Set("Referrer-Policy", "no-referrer")
|
||||||
http.Error(w, "404 not found", http.StatusNotFound)
|
w.Header().Set("X-Frame-Options", "DENY")
|
||||||
return
|
w.Header().Set("X-Xss-Protection", "1; mode=block")
|
||||||
}
|
w.Header().Set("Content-Security-Policy", cspHeader)
|
||||||
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||||
|
|
||||||
tpl, err := template.New("index.html").Funcs(tplFuncs).Parse(string(indexTpl))
|
if err := indexTpl.Execute(w, struct {
|
||||||
if err != nil {
|
Version string
|
||||||
http.Error(w, errors.Wrap(err, "parsing template").Error(), http.StatusInternalServerError)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if err = tpl.Execute(w, struct {
|
|
||||||
Vars map[string]string
|
|
||||||
}{
|
}{
|
||||||
Vars: map[string]string{
|
Version: version,
|
||||||
"version": version,
|
|
||||||
},
|
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
http.Error(w, errors.Wrap(err, "parsing template").Error(), http.StatusInternalServerError)
|
http.Error(w, errors.Wrap(err, "executing template").Error(), http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue