chore: clean .gitignore cache
This commit is contained in:
GitHub Actions
@@ -1,130 +0,0 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
// SecurityHeadersConfig holds configuration for the security headers middleware.
|
||||
type SecurityHeadersConfig struct {
|
||||
// IsDevelopment enables less strict settings for local development
|
||||
IsDevelopment bool
|
||||
// CustomCSPDirectives allows adding extra CSP directives
|
||||
CustomCSPDirectives map[string]string
|
||||
}
|
||||
|
||||
// DefaultSecurityHeadersConfig returns a secure default configuration.
|
||||
func DefaultSecurityHeadersConfig() SecurityHeadersConfig {
|
||||
return SecurityHeadersConfig{
|
||||
IsDevelopment: false,
|
||||
CustomCSPDirectives: nil,
|
||||
}
|
||||
}
|
||||
|
||||
// SecurityHeaders returns middleware that sets security-related HTTP headers.
|
||||
// This implements Phase 1 of the security hardening plan.
|
||||
func SecurityHeaders(cfg SecurityHeadersConfig) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
// Build Content-Security-Policy
|
||||
csp := buildCSP(cfg)
|
||||
c.Header("Content-Security-Policy", csp)
|
||||
|
||||
// Strict-Transport-Security (HSTS)
|
||||
// max-age=31536000 = 1 year
|
||||
// includeSubDomains ensures all subdomains also use HTTPS
|
||||
// preload allows browser preload lists (requires submission to hstspreload.org)
|
||||
if !cfg.IsDevelopment {
|
||||
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
|
||||
}
|
||||
|
||||
// X-Frame-Options: Prevent clickjacking
|
||||
// DENY prevents any framing; SAMEORIGIN would allow same-origin framing
|
||||
c.Header("X-Frame-Options", "DENY")
|
||||
|
||||
// X-Content-Type-Options: Prevent MIME sniffing
|
||||
c.Header("X-Content-Type-Options", "nosniff")
|
||||
|
||||
// X-XSS-Protection: Enable browser XSS filtering (legacy but still useful)
|
||||
// mode=block tells browser to block the response if XSS is detected
|
||||
c.Header("X-XSS-Protection", "1; mode=block")
|
||||
|
||||
// Referrer-Policy: Control referrer information sent with requests
|
||||
// strict-origin-when-cross-origin sends full URL for same-origin, origin only for cross-origin
|
||||
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||
|
||||
// Permissions-Policy: Restrict browser features
|
||||
// Disable features that aren't needed for security
|
||||
c.Header("Permissions-Policy", buildPermissionsPolicy())
|
||||
|
||||
// Cross-Origin-Opener-Policy: Isolate browsing context
|
||||
// Skip in development mode to avoid browser warnings on HTTP
|
||||
// In production, Caddy always uses HTTPS, so safe to set unconditionally
|
||||
if !cfg.IsDevelopment {
|
||||
c.Header("Cross-Origin-Opener-Policy", "same-origin")
|
||||
}
|
||||
|
||||
// Cross-Origin-Resource-Policy: Prevent cross-origin reads
|
||||
c.Header("Cross-Origin-Resource-Policy", "same-origin")
|
||||
|
||||
// Cross-Origin-Embedder-Policy: Require CORP for cross-origin resources
|
||||
// Note: This can break some external resources, use with caution
|
||||
// c.Header("Cross-Origin-Embedder-Policy", "require-corp")
|
||||
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
// buildCSP constructs the Content-Security-Policy header value.
|
||||
func buildCSP(cfg SecurityHeadersConfig) string {
|
||||
// Base CSP directives for a secure single-page application
|
||||
directives := map[string]string{
|
||||
"default-src": "'self'",
|
||||
"script-src": "'self'",
|
||||
"style-src": "'self' 'unsafe-inline'", // unsafe-inline needed for many CSS-in-JS solutions
|
||||
"img-src": "'self' data: https:", // Allow HTTPS images and data URIs
|
||||
"font-src": "'self' data:", // Allow self-hosted fonts and data URIs
|
||||
"connect-src": "'self'", // API connections
|
||||
"frame-src": "'none'", // No iframes
|
||||
"object-src": "'none'", // No plugins (Flash, etc.)
|
||||
"base-uri": "'self'", // Restrict base tag
|
||||
"form-action": "'self'", // Restrict form submissions
|
||||
}
|
||||
|
||||
// In development, allow more sources for hot reloading, etc.
|
||||
if cfg.IsDevelopment {
|
||||
directives["script-src"] = "'self' 'unsafe-inline' 'unsafe-eval'"
|
||||
directives["connect-src"] = "'self' ws: wss:" // WebSocket for HMR
|
||||
}
|
||||
|
||||
// Apply custom directives
|
||||
for key, value := range cfg.CustomCSPDirectives {
|
||||
directives[key] = value
|
||||
}
|
||||
|
||||
// Build the CSP string
|
||||
var parts []string
|
||||
for directive, value := range directives {
|
||||
parts = append(parts, fmt.Sprintf("%s %s", directive, value))
|
||||
}
|
||||
|
||||
return strings.Join(parts, "; ")
|
||||
}
|
||||
|
||||
// buildPermissionsPolicy constructs the Permissions-Policy header value.
|
||||
func buildPermissionsPolicy() string {
|
||||
// Disable features we don't need
|
||||
policies := []string{
|
||||
"accelerometer=()",
|
||||
"camera=()",
|
||||
"geolocation=()",
|
||||
"gyroscope=()",
|
||||
"magnetometer=()",
|
||||
"microphone=()",
|
||||
"payment=()",
|
||||
"usb=()",
|
||||
}
|
||||
|
||||
return strings.Join(policies, ", ")
|
||||
}
|
||||
Reference in New Issue
Block a user