diff options
author | Wim <wim@42.be> | 2019-01-31 17:06:36 +0100 |
---|---|---|
committer | Wim <wim@42.be> | 2019-01-31 17:06:36 +0100 |
commit | c81c0dd22a7779148c4890cfd4bbf490054f06f1 (patch) | |
tree | 06ce6fcdc8f3a2278a2f3050ba42088dd2e64485 /vendor/github.com/labstack/echo/v4/middleware/secure.go | |
parent | f8a1ab4622a5b833282e9ee42f382451d17c1a06 (diff) | |
download | matterbridge-msglm-c81c0dd22a7779148c4890cfd4bbf490054f06f1.tar.gz matterbridge-msglm-c81c0dd22a7779148c4890cfd4bbf490054f06f1.tar.bz2 matterbridge-msglm-c81c0dd22a7779148c4890cfd4bbf490054f06f1.zip |
Update vendor, move to labstack/echo/v4 Fixes #698
Diffstat (limited to 'vendor/github.com/labstack/echo/v4/middleware/secure.go')
-rw-r--r-- | vendor/github.com/labstack/echo/v4/middleware/secure.go | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/vendor/github.com/labstack/echo/v4/middleware/secure.go b/vendor/github.com/labstack/echo/v4/middleware/secure.go new file mode 100644 index 00000000..8839c879 --- /dev/null +++ b/vendor/github.com/labstack/echo/v4/middleware/secure.go @@ -0,0 +1,116 @@ +package middleware + +import ( + "fmt" + + "github.com/labstack/echo/v4" +) + +type ( + // SecureConfig defines the config for Secure middleware. + SecureConfig struct { + // Skipper defines a function to skip middleware. + Skipper Skipper + + // XSSProtection provides protection against cross-site scripting attack (XSS) + // by setting the `X-XSS-Protection` header. + // Optional. Default value "1; mode=block". + XSSProtection string `yaml:"xss_protection"` + + // ContentTypeNosniff provides protection against overriding Content-Type + // header by setting the `X-Content-Type-Options` header. + // Optional. Default value "nosniff". + ContentTypeNosniff string `yaml:"content_type_nosniff"` + + // XFrameOptions can be used to indicate whether or not a browser should + // be allowed to render a page in a <frame>, <iframe> or <object> . + // Sites can use this to avoid clickjacking attacks, by ensuring that their + // content is not embedded into other sites.provides protection against + // clickjacking. + // Optional. Default value "SAMEORIGIN". + // Possible values: + // - "SAMEORIGIN" - The page can only be displayed in a frame on the same origin as the page itself. + // - "DENY" - The page cannot be displayed in a frame, regardless of the site attempting to do so. + // - "ALLOW-FROM uri" - The page can only be displayed in a frame on the specified origin. + XFrameOptions string `yaml:"x_frame_options"` + + // HSTSMaxAge sets the `Strict-Transport-Security` header to indicate how + // long (in seconds) browsers should remember that this site is only to + // be accessed using HTTPS. This reduces your exposure to some SSL-stripping + // man-in-the-middle (MITM) attacks. + // Optional. Default value 0. + HSTSMaxAge int `yaml:"hsts_max_age"` + + // HSTSExcludeSubdomains won't include subdomains tag in the `Strict Transport Security` + // header, excluding all subdomains from security policy. It has no effect + // unless HSTSMaxAge is set to a non-zero value. + // Optional. Default value false. + HSTSExcludeSubdomains bool `yaml:"hsts_exclude_subdomains"` + + // ContentSecurityPolicy sets the `Content-Security-Policy` header providing + // security against cross-site scripting (XSS), clickjacking and other code + // injection attacks resulting from execution of malicious content in the + // trusted web page context. + // Optional. Default value "". + ContentSecurityPolicy string `yaml:"content_security_policy"` + } +) + +var ( + // DefaultSecureConfig is the default Secure middleware config. + DefaultSecureConfig = SecureConfig{ + Skipper: DefaultSkipper, + XSSProtection: "1; mode=block", + ContentTypeNosniff: "nosniff", + XFrameOptions: "SAMEORIGIN", + } +) + +// Secure returns a Secure middleware. +// Secure middleware provides protection against cross-site scripting (XSS) attack, +// content type sniffing, clickjacking, insecure connection and other code injection +// attacks. +func Secure() echo.MiddlewareFunc { + return SecureWithConfig(DefaultSecureConfig) +} + +// SecureWithConfig returns a Secure middleware with config. +// See: `Secure()`. +func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc { + // Defaults + if config.Skipper == nil { + config.Skipper = DefaultSecureConfig.Skipper + } + + return func(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + if config.Skipper(c) { + return next(c) + } + + req := c.Request() + res := c.Response() + + if config.XSSProtection != "" { + res.Header().Set(echo.HeaderXXSSProtection, config.XSSProtection) + } + if config.ContentTypeNosniff != "" { + res.Header().Set(echo.HeaderXContentTypeOptions, config.ContentTypeNosniff) + } + if config.XFrameOptions != "" { + res.Header().Set(echo.HeaderXFrameOptions, config.XFrameOptions) + } + if (c.IsTLS() || (req.Header.Get(echo.HeaderXForwardedProto) == "https")) && config.HSTSMaxAge != 0 { + subdomains := "" + if !config.HSTSExcludeSubdomains { + subdomains = "; includeSubdomains" + } + res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains)) + } + if config.ContentSecurityPolicy != "" { + res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy) + } + return next(c) + } + } +} |