Add optional secure headers to responses

This commit is contained in:
Daniel Carrillo 2022-04-02 18:10:48 +02:00
parent aae2e08240
commit 12da27ddab
Signed by: dcarrillo
GPG Key ID: E4CD5C09DAED6E16
4 changed files with 69 additions and 34 deletions

View File

@ -17,6 +17,7 @@ import (
"github.com/dcarrillo/whatismyip/router" "github.com/dcarrillo/whatismyip/router"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/unrolled/secure"
) )
var ( var (
@ -138,6 +139,28 @@ func setupEngine() {
engine = gin.New() engine = gin.New()
engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter)) engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter))
engine.Use(gin.Recovery()) engine.Use(gin.Recovery())
if setting.App.EnableSecureHeaders {
engine.Use(addSecureHeaders())
}
_ = engine.SetTrustedProxies(nil) _ = engine.SetTrustedProxies(nil)
engine.TrustedPlatform = setting.App.TrustedHeader engine.TrustedPlatform = setting.App.TrustedHeader
} }
func addSecureHeaders() gin.HandlerFunc {
return func(c *gin.Context) {
err := secure.New(secure.Options{
BrowserXssFilter: true,
ContentTypeNosniff: true,
FrameDeny: true,
}).Process(c.Writer, c.Request)
if err != nil {
c.Abort()
return
}
// Avoid header rewrite if response is a redirection.
if status := c.Writer.Status(); status > 300 && status < 399 {
c.Abort()
}
}
}

View File

@ -34,6 +34,7 @@ func buildContainer() testcontainers.ContainerRequest {
"-tls-crt", "/tmp/server.pem", "-tls-crt", "/tmp/server.pem",
"-tls-key", "/tmp/server.key", "-tls-key", "/tmp/server.key",
"-trusted-header", "X-Real-IP", "-trusted-header", "X-Real-IP",
"-enable-secure-headers",
}, },
ExposedPorts: []string{"8000:8000", "8001:8001"}, ExposedPorts: []string{"8000:8000", "8001:8001"},
WaitingFor: wait.ForLog("Starting TLS server listening on :8001"), WaitingFor: wait.ForLog("Starting TLS server listening on :8001"),

View File

@ -27,6 +27,7 @@ type settings struct {
TLSCrtPath string TLSCrtPath string
TLSKeyPath string TLSKeyPath string
TrustedHeader string TrustedHeader string
EnableSecureHeaders bool
Server serverSettings Server serverSettings
version bool version bool
} }
@ -74,6 +75,12 @@ func Setup(args []string) (output string, err error) {
"Trusted request header for remote IP (e.g. X-Real-IP)", "Trusted request header for remote IP (e.g. X-Real-IP)",
) )
flags.BoolVar(&App.version, "version", false, "Output version information and exit") flags.BoolVar(&App.version, "version", false, "Output version information and exit")
flags.BoolVar(
&App.EnableSecureHeaders,
"enable-secure-headers",
false,
"Add sane security-related headers to every response",
)
err = flags.Parse(args) err = flags.Parse(args)
if err != nil { if err != nil {

View File

@ -76,6 +76,7 @@ func TestParseFlags(t *testing.T) {
TLSCrtPath: "", TLSCrtPath: "",
TLSKeyPath: "", TLSKeyPath: "",
TrustedHeader: "", TrustedHeader: "",
EnableSecureHeaders: false,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
@ -95,6 +96,7 @@ func TestParseFlags(t *testing.T) {
TLSCrtPath: "", TLSCrtPath: "",
TLSKeyPath: "", TLSKeyPath: "",
TrustedHeader: "", TrustedHeader: "",
EnableSecureHeaders: false,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
@ -117,6 +119,7 @@ func TestParseFlags(t *testing.T) {
TLSCrtPath: "/crt-path", TLSCrtPath: "/crt-path",
TLSKeyPath: "/key-path", TLSKeyPath: "/key-path",
TrustedHeader: "", TrustedHeader: "",
EnableSecureHeaders: false,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
@ -126,7 +129,7 @@ func TestParseFlags(t *testing.T) {
{ {
[]string{ []string{
"-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path", "-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path",
"-trusted-header", "header", "-trusted-header", "header", "-enable-secure-headers",
}, },
settings{ settings{
GeodbPath: geodbPath{ GeodbPath: geodbPath{
@ -139,6 +142,7 @@ func TestParseFlags(t *testing.T) {
TLSCrtPath: "", TLSCrtPath: "",
TLSKeyPath: "", TLSKeyPath: "",
TrustedHeader: "header", TrustedHeader: "header",
EnableSecureHeaders: true,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,