mirror of
https://github.com/dcarrillo/whatismyip.git
synced 2024-12-22 13:18:01 +00:00
Add optional secure headers to responses
This commit is contained in:
parent
aae2e08240
commit
12da27ddab
@ -17,6 +17,7 @@ import (
|
|||||||
"github.com/dcarrillo/whatismyip/router"
|
"github.com/dcarrillo/whatismyip/router"
|
||||||
|
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
|
"github.com/unrolled/secure"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -138,6 +139,28 @@ func setupEngine() {
|
|||||||
engine = gin.New()
|
engine = gin.New()
|
||||||
engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter))
|
engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter))
|
||||||
engine.Use(gin.Recovery())
|
engine.Use(gin.Recovery())
|
||||||
|
if setting.App.EnableSecureHeaders {
|
||||||
|
engine.Use(addSecureHeaders())
|
||||||
|
}
|
||||||
_ = engine.SetTrustedProxies(nil)
|
_ = engine.SetTrustedProxies(nil)
|
||||||
engine.TrustedPlatform = setting.App.TrustedHeader
|
engine.TrustedPlatform = setting.App.TrustedHeader
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func addSecureHeaders() gin.HandlerFunc {
|
||||||
|
return func(c *gin.Context) {
|
||||||
|
err := secure.New(secure.Options{
|
||||||
|
BrowserXssFilter: true,
|
||||||
|
ContentTypeNosniff: true,
|
||||||
|
FrameDeny: true,
|
||||||
|
}).Process(c.Writer, c.Request)
|
||||||
|
if err != nil {
|
||||||
|
c.Abort()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Avoid header rewrite if response is a redirection.
|
||||||
|
if status := c.Writer.Status(); status > 300 && status < 399 {
|
||||||
|
c.Abort()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -34,6 +34,7 @@ func buildContainer() testcontainers.ContainerRequest {
|
|||||||
"-tls-crt", "/tmp/server.pem",
|
"-tls-crt", "/tmp/server.pem",
|
||||||
"-tls-key", "/tmp/server.key",
|
"-tls-key", "/tmp/server.key",
|
||||||
"-trusted-header", "X-Real-IP",
|
"-trusted-header", "X-Real-IP",
|
||||||
|
"-enable-secure-headers",
|
||||||
},
|
},
|
||||||
ExposedPorts: []string{"8000:8000", "8001:8001"},
|
ExposedPorts: []string{"8000:8000", "8001:8001"},
|
||||||
WaitingFor: wait.ForLog("Starting TLS server listening on :8001"),
|
WaitingFor: wait.ForLog("Starting TLS server listening on :8001"),
|
||||||
|
@ -27,6 +27,7 @@ type settings struct {
|
|||||||
TLSCrtPath string
|
TLSCrtPath string
|
||||||
TLSKeyPath string
|
TLSKeyPath string
|
||||||
TrustedHeader string
|
TrustedHeader string
|
||||||
|
EnableSecureHeaders bool
|
||||||
Server serverSettings
|
Server serverSettings
|
||||||
version bool
|
version bool
|
||||||
}
|
}
|
||||||
@ -74,6 +75,12 @@ func Setup(args []string) (output string, err error) {
|
|||||||
"Trusted request header for remote IP (e.g. X-Real-IP)",
|
"Trusted request header for remote IP (e.g. X-Real-IP)",
|
||||||
)
|
)
|
||||||
flags.BoolVar(&App.version, "version", false, "Output version information and exit")
|
flags.BoolVar(&App.version, "version", false, "Output version information and exit")
|
||||||
|
flags.BoolVar(
|
||||||
|
&App.EnableSecureHeaders,
|
||||||
|
"enable-secure-headers",
|
||||||
|
false,
|
||||||
|
"Add sane security-related headers to every response",
|
||||||
|
)
|
||||||
|
|
||||||
err = flags.Parse(args)
|
err = flags.Parse(args)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -76,6 +76,7 @@ func TestParseFlags(t *testing.T) {
|
|||||||
TLSCrtPath: "",
|
TLSCrtPath: "",
|
||||||
TLSKeyPath: "",
|
TLSKeyPath: "",
|
||||||
TrustedHeader: "",
|
TrustedHeader: "",
|
||||||
|
EnableSecureHeaders: false,
|
||||||
Server: serverSettings{
|
Server: serverSettings{
|
||||||
ReadTimeout: 10 * time.Second,
|
ReadTimeout: 10 * time.Second,
|
||||||
WriteTimeout: 10 * time.Second,
|
WriteTimeout: 10 * time.Second,
|
||||||
@ -95,6 +96,7 @@ func TestParseFlags(t *testing.T) {
|
|||||||
TLSCrtPath: "",
|
TLSCrtPath: "",
|
||||||
TLSKeyPath: "",
|
TLSKeyPath: "",
|
||||||
TrustedHeader: "",
|
TrustedHeader: "",
|
||||||
|
EnableSecureHeaders: false,
|
||||||
Server: serverSettings{
|
Server: serverSettings{
|
||||||
ReadTimeout: 10 * time.Second,
|
ReadTimeout: 10 * time.Second,
|
||||||
WriteTimeout: 10 * time.Second,
|
WriteTimeout: 10 * time.Second,
|
||||||
@ -117,6 +119,7 @@ func TestParseFlags(t *testing.T) {
|
|||||||
TLSCrtPath: "/crt-path",
|
TLSCrtPath: "/crt-path",
|
||||||
TLSKeyPath: "/key-path",
|
TLSKeyPath: "/key-path",
|
||||||
TrustedHeader: "",
|
TrustedHeader: "",
|
||||||
|
EnableSecureHeaders: false,
|
||||||
Server: serverSettings{
|
Server: serverSettings{
|
||||||
ReadTimeout: 10 * time.Second,
|
ReadTimeout: 10 * time.Second,
|
||||||
WriteTimeout: 10 * time.Second,
|
WriteTimeout: 10 * time.Second,
|
||||||
@ -126,7 +129,7 @@ func TestParseFlags(t *testing.T) {
|
|||||||
{
|
{
|
||||||
[]string{
|
[]string{
|
||||||
"-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path",
|
"-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path",
|
||||||
"-trusted-header", "header",
|
"-trusted-header", "header", "-enable-secure-headers",
|
||||||
},
|
},
|
||||||
settings{
|
settings{
|
||||||
GeodbPath: geodbPath{
|
GeodbPath: geodbPath{
|
||||||
@ -139,6 +142,7 @@ func TestParseFlags(t *testing.T) {
|
|||||||
TLSCrtPath: "",
|
TLSCrtPath: "",
|
||||||
TLSKeyPath: "",
|
TLSKeyPath: "",
|
||||||
TrustedHeader: "header",
|
TrustedHeader: "header",
|
||||||
|
EnableSecureHeaders: true,
|
||||||
Server: serverSettings{
|
Server: serverSettings{
|
||||||
ReadTimeout: 10 * time.Second,
|
ReadTimeout: 10 * time.Second,
|
||||||
WriteTimeout: 10 * time.Second,
|
WriteTimeout: 10 * time.Second,
|
||||||
|
Loading…
Reference in New Issue
Block a user