Browse Source
add support for some security headers
add support for some security headers
This commit adds support for Content-Security-Policy and X-Frame-Options using the ContentSecurityPolicy middleware.pull/36/head
mutantmonkey
9 years ago
4 changed files with 105 additions and 9 deletions
-
40csp.go
-
38csp_test.go
-
2fileserve.go
-
34server.go
@ -0,0 +1,40 @@ |
|||
package main |
|||
|
|||
import ( |
|||
"net/http" |
|||
) |
|||
|
|||
const ( |
|||
cspHeader = "Content-Security-Policy" |
|||
frameOptionsHeader = "X-Frame-Options" |
|||
) |
|||
|
|||
type csp struct { |
|||
h http.Handler |
|||
opts CSPOptions |
|||
} |
|||
|
|||
type CSPOptions struct { |
|||
policy string |
|||
frame string |
|||
} |
|||
|
|||
func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) { |
|||
// only add a CSP if one is not already set
|
|||
if existing := w.Header().Get(cspHeader); existing == "" { |
|||
w.Header().Add(cspHeader, c.opts.policy) |
|||
} |
|||
|
|||
w.Header().Set(frameOptionsHeader, c.opts.frame) |
|||
|
|||
c.h.ServeHTTP(w, r) |
|||
} |
|||
|
|||
func ContentSecurityPolicy(o CSPOptions) func(http.Handler) http.Handler { |
|||
fn := func(h http.Handler) http.Handler { |
|||
return csp{h, o} |
|||
} |
|||
return fn |
|||
} |
|||
|
|||
// vim:set ts=8 sw=8 noet:
|
@ -0,0 +1,38 @@ |
|||
package main |
|||
|
|||
import ( |
|||
"net/http" |
|||
"net/http/httptest" |
|||
"testing" |
|||
|
|||
"github.com/zenazn/goji" |
|||
) |
|||
|
|||
var testCSPHeaders = map[string]string{ |
|||
"Content-Security-Policy": "default-src 'none'; style-src 'self';", |
|||
"X-Frame-Options": "SAMEORIGIN", |
|||
} |
|||
|
|||
func TestContentSecurityPolicy(t *testing.T) { |
|||
w := httptest.NewRecorder() |
|||
|
|||
req, err := http.NewRequest("GET", "/", nil) |
|||
if err != nil { |
|||
t.Fatal(err) |
|||
} |
|||
|
|||
goji.Use(ContentSecurityPolicy(CSPOptions{ |
|||
policy: testCSPHeaders["Content-Security-Policy"], |
|||
frame: testCSPHeaders["X-Frame-Options"], |
|||
})) |
|||
|
|||
goji.DefaultMux.ServeHTTP(w, req) |
|||
|
|||
for k, v := range testCSPHeaders { |
|||
if w.HeaderMap[k][0] != v { |
|||
t.Fatalf("%s header did not match expected value set by middleware", k) |
|||
} |
|||
} |
|||
} |
|||
|
|||
// vim:set ts=8 sw=8 noet:
|
Write
Preview
Loading…
Cancel
Save
Reference in new issue