2021-04-16 13:35:49 +03:00
|
|
|
package middlewares
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
)
|
|
|
|
|
|
|
|
var securityHeaders = map[string]string{
|
|
|
|
"Cross-Origin-Opener-Policy": "same-origin",
|
2023-01-13 16:51:16 +03:00
|
|
|
"Content-Security-Policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' https: data:; form-action 'self' *.stripe.com; block-all-mixed-content;",
|
2021-04-16 13:35:49 +03:00
|
|
|
"X-Frame-Options": "DENY",
|
|
|
|
"X-Content-Type-Options": "nosniff",
|
|
|
|
}
|
|
|
|
|
|
|
|
// SecurityMiddleware is a handler to add some basic security headers to responses
|
|
|
|
type SecurityMiddleware struct {
|
|
|
|
handler http.Handler
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewSecurityMiddleware() func(http.Handler) http.Handler {
|
|
|
|
return func(h http.Handler) http.Handler {
|
|
|
|
return &SecurityMiddleware{h}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *SecurityMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
for k, v := range securityHeaders {
|
|
|
|
if w.Header().Get(k) == "" {
|
|
|
|
w.Header().Set(k, v)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
f.handler.ServeHTTP(w, r)
|
|
|
|
}
|