Add optional secure headers to responses

2025-07-01 11:39:27 +00:00 · 2022-04-02 18:10:48 +02:00
parent aae2e08240
commit 12da27ddab
4 changed files with 69 additions and 34 deletions
--- a/internal/setting/app.go
+++ b/internal/setting/app.go
@ -20,15 +20,16 @@ type serverSettings struct {
 	WriteTimeout time.Duration
 }
 type settings struct {
-	GeodbPath     geodbPath
-	TemplatePath  string
-	BindAddress   string
-	TLSAddress    string
-	TLSCrtPath    string
-	TLSKeyPath    string
-	TrustedHeader string
-	Server        serverSettings
-	version       bool
+	GeodbPath           geodbPath
+	TemplatePath        string
+	BindAddress         string
+	TLSAddress          string
+	TLSCrtPath          string
+	TLSKeyPath          string
+	TrustedHeader       string
+	EnableSecureHeaders bool
+	Server              serverSettings
+	version             bool
 }

 const defaultAddress = ":8080"
@ -74,6 +75,12 @@ func Setup(args []string) (output string, err error) {
 		"Trusted request header for remote IP (e.g. X-Real-IP)",
 	)
 	flags.BoolVar(&App.version, "version", false, "Output version information and exit")
+	flags.BoolVar(
+		&App.EnableSecureHeaders,
+		"enable-secure-headers",
+		false,
+		"Add sane security-related headers to every response",
+	)

 	err = flags.Parse(args)
 	if err != nil {
--- a/internal/setting/app_test.go
+++ b/internal/setting/app_test.go
@ -70,12 +70,13 @@ func TestParseFlags(t *testing.T) {
 					City: "/city-path",
 					ASN:  "/asn-path",
 				},
-				TemplatePath:  "",
-				BindAddress:   ":8080",
-				TLSAddress:    "",
-				TLSCrtPath:    "",
-				TLSKeyPath:    "",
-				TrustedHeader: "",
+				TemplatePath:        "",
+				BindAddress:         ":8080",
+				TLSAddress:          "",
+				TLSCrtPath:          "",
+				TLSKeyPath:          "",
+				TrustedHeader:       "",
+				EnableSecureHeaders: false,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,
@ -89,12 +90,13 @@ func TestParseFlags(t *testing.T) {
 					City: "/city-path",
 					ASN:  "/asn-path",
 				},
-				TemplatePath:  "",
-				BindAddress:   ":8001",
-				TLSAddress:    "",
-				TLSCrtPath:    "",
-				TLSKeyPath:    "",
-				TrustedHeader: "",
+				TemplatePath:        "",
+				BindAddress:         ":8001",
+				TLSAddress:          "",
+				TLSCrtPath:          "",
+				TLSKeyPath:          "",
+				TrustedHeader:       "",
+				EnableSecureHeaders: false,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,
@ -111,12 +113,13 @@ func TestParseFlags(t *testing.T) {
 					City: "/city-path",
 					ASN:  "/asn-path",
 				},
-				TemplatePath:  "",
-				BindAddress:   ":8080",
-				TLSAddress:    ":9000",
-				TLSCrtPath:    "/crt-path",
-				TLSKeyPath:    "/key-path",
-				TrustedHeader: "",
+				TemplatePath:        "",
+				BindAddress:         ":8080",
+				TLSAddress:          ":9000",
+				TLSCrtPath:          "/crt-path",
+				TLSKeyPath:          "/key-path",
+				TrustedHeader:       "",
+				EnableSecureHeaders: false,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,
@ -126,19 +129,20 @@ func TestParseFlags(t *testing.T) {
 		{
 			[]string{
 				"-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path",
-				"-trusted-header", "header",
+				"-trusted-header", "header", "-enable-secure-headers",
 			},
 			settings{
 				GeodbPath: geodbPath{
 					City: "/city-path",
 					ASN:  "/asn-path",
 				},
-				TemplatePath:  "",
-				BindAddress:   ":8080",
-				TLSAddress:    "",
-				TLSCrtPath:    "",
-				TLSKeyPath:    "",
-				TrustedHeader: "header",
+				TemplatePath:        "",
+				BindAddress:         ":8080",
+				TLSAddress:          "",
+				TLSCrtPath:          "",
+				TLSKeyPath:          "",
+				TrustedHeader:       "header",
+				EnableSecureHeaders: true,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,