Add security HTTP headers (#45)
This commit is contained in:
Vic Demuzere
GitHub
parent
9ad6d468fd
commit
14b5801f37
2 changed files with 34 additions and 20 deletions
|
|
@ -41,9 +41,7 @@
|
|||
document.addEventListener('DOMContentLoaded', () => window.refreshTheme())
|
||||
|
||||
// Template variable from Golang process
|
||||
{{- range $key, $value := .Vars }}
|
||||
const {{ $key }} = "{{ $value }}"
|
||||
{{- end }}
|
||||
const version = "{{ .Version }}"
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
|
|
|
|||
50
main.go
50
main.go
|
|
@ -86,30 +86,46 @@ func assetDelivery(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
w.Header().Set("Content-Type", mime.TypeByExtension(ext))
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Write(assetData)
|
||||
}
|
||||
|
||||
var (
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
cspHeader = strings.Join([]string{
|
||||
"default-src 'none'",
|
||||
"connect-src 'self'",
|
||||
"font-src 'self'",
|
||||
"img-src 'self'",
|
||||
"script-src 'self' 'unsafe-inline'",
|
||||
"style-src 'self' 'unsafe-inline'",
|
||||
}, ";")
|
||||
|
||||
indexTpl *template.Template
|
||||
)
|
||||
|
||||
func init() {
|
||||
source, err := assets.ReadFile("frontend/index.html")
|
||||
if err != nil {
|
||||
log.WithError(err).Fatal("frontend folder should contain index.html Go template")
|
||||
}
|
||||
indexTpl = template.Must(template.New("index.html").Funcs(tplFuncs).Parse(string(source)))
|
||||
}
|
||||
|
||||
func handleIndex(w http.ResponseWriter, r *http.Request) {
|
||||
indexTpl, err := assets.ReadFile("frontend/index.html")
|
||||
if err != nil {
|
||||
http.Error(w, "404 not found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
w.Header().Set("Referrer-Policy", "no-referrer")
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
w.Header().Set("X-Xss-Protection", "1; mode=block")
|
||||
w.Header().Set("Content-Security-Policy", cspHeader)
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
|
||||
tpl, err := template.New("index.html").Funcs(tplFuncs).Parse(string(indexTpl))
|
||||
if err != nil {
|
||||
http.Error(w, errors.Wrap(err, "parsing template").Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if err = tpl.Execute(w, struct {
|
||||
Vars map[string]string
|
||||
if err := indexTpl.Execute(w, struct {
|
||||
Version string
|
||||
}{
|
||||
Vars: map[string]string{
|
||||
"version": version,
|
||||
},
|
||||
Version: version,
|
||||
}); err != nil {
|
||||
http.Error(w, errors.Wrap(err, "parsing template").Error(), http.StatusInternalServerError)
|
||||
http.Error(w, errors.Wrap(err, "executing template").Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue