summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/labstack/echo/v4/middleware/secure.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/labstack/echo/v4/middleware/secure.go')
-rw-r--r--vendor/github.com/labstack/echo/v4/middleware/secure.go23
1 files changed, 22 insertions, 1 deletions
diff --git a/vendor/github.com/labstack/echo/v4/middleware/secure.go b/vendor/github.com/labstack/echo/v4/middleware/secure.go
index 8839c879..77a1487f 100644
--- a/vendor/github.com/labstack/echo/v4/middleware/secure.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/secure.go
@@ -53,6 +53,19 @@ type (
// trusted web page context.
// Optional. Default value "".
ContentSecurityPolicy string `yaml:"content_security_policy"`
+
+ // CSPReportOnly would use the `Content-Security-Policy-Report-Only` header instead
+ // of the `Content-Security-Policy` header. This allows iterative updates of the
+ // content security policy by only reporting the violations that would
+ // have occurred instead of blocking the resource.
+ // Optional. Default value false.
+ CSPReportOnly bool `yaml:"csp_report_only"`
+
+ // HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security`
+ // header, which enables the domain to be included in the HSTS preload list
+ // maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
+ // Optional. Default value false.
+ HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
}
)
@@ -63,6 +76,7 @@ var (
XSSProtection: "1; mode=block",
ContentTypeNosniff: "nosniff",
XFrameOptions: "SAMEORIGIN",
+ HSTSPreloadEnabled: false,
}
)
@@ -105,10 +119,17 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
if !config.HSTSExcludeSubdomains {
subdomains = "; includeSubdomains"
}
+ if config.HSTSPreloadEnabled {
+ subdomains = fmt.Sprintf("%s; preload", subdomains)
+ }
res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))
}
if config.ContentSecurityPolicy != "" {
- res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
+ if config.CSPReportOnly {
+ res.Header().Set(echo.HeaderContentSecurityPolicyReportOnly, config.ContentSecurityPolicy)
+ } else {
+ res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
+ }
}
return next(c)
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 16:24:56 +0000