dcarrillo
/
whatismyip
mirror of https://github.com/dcarrillo/whatismyip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add optional secure headers to responses

This commit is contained in:
Daniel Carrillo 2022-04-02 18:10:48 +02:00
parent aae2e08240
commit 12da27ddab
Signed by: dcarrillo
GPG Key ID: E4CD5C09DAED6E16
4 changed files with 69 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cmd/whatismyip.go
View File

@ -17,6 +17,7 @@ import (
"github.com/dcarrillo/whatismyip/router" "github.com/dcarrillo/whatismyip/router"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/unrolled/secure"
) )
var ( var (
@ -138,6 +139,28 @@ func setupEngine() {
engine = gin.New() engine = gin.New()
engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter)) engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter))
engine.Use(gin.Recovery()) engine.Use(gin.Recovery())
if setting.App.EnableSecureHeaders {
engine.Use(addSecureHeaders())
}
_ = engine.SetTrustedProxies(nil) _ = engine.SetTrustedProxies(nil)
engine.TrustedPlatform = setting.App.TrustedHeader engine.TrustedPlatform = setting.App.TrustedHeader
} }
func addSecureHeaders() gin.HandlerFunc {
return func(c *gin.Context) {
err := secure.New(secure.Options{
BrowserXssFilter: true,
ContentTypeNosniff: true,
FrameDeny: true,
}).Process(c.Writer, c.Request)
if err != nil {
c.Abort()
return
}
// Avoid header rewrite if response is a redirection.
if status := c.Writer.Status(); status > 300 && status < 399 {
c.Abort()
}
}
}

1
integration-tests/integration_test.go
View File

@ -34,6 +34,7 @@ func buildContainer() testcontainers.ContainerRequest {
"-tls-crt", "/tmp/server.pem", "-tls-crt", "/tmp/server.pem",
"-tls-key", "/tmp/server.key", "-tls-key", "/tmp/server.key",
"-trusted-header", "X-Real-IP", "-trusted-header", "X-Real-IP",
"-enable-secure-headers",
}, },
ExposedPorts: []string{"8000:8000", "8001:8001"}, ExposedPorts: []string{"8000:8000", "8001:8001"},
WaitingFor: wait.ForLog("Starting TLS server listening on :8001"), WaitingFor: wait.ForLog("Starting TLS server listening on :8001"),

25
internal/setting/app.go
View File

@ -20,15 +20,16 @@ type serverSettings struct {
WriteTimeout time.Duration WriteTimeout time.Duration
} }
type settings struct { type settings struct {
GeodbPath geodbPath GeodbPath geodbPath
TemplatePath string TemplatePath string
BindAddress string BindAddress string
TLSAddress string TLSAddress string
TLSCrtPath string TLSCrtPath string
TLSKeyPath string TLSKeyPath string
TrustedHeader string TrustedHeader string
Server serverSettings EnableSecureHeaders bool
version bool Server serverSettings
version bool
} }
const defaultAddress = ":8080" const defaultAddress = ":8080"
@ -74,6 +75,12 @@ func Setup(args []string) (output string, err error) {
"Trusted request header for remote IP (e.g. X-Real-IP)", "Trusted request header for remote IP (e.g. X-Real-IP)",
) )
flags.BoolVar(&App.version, "version", false, "Output version information and exit") flags.BoolVar(&App.version, "version", false, "Output version information and exit")
flags.BoolVar(
&App.EnableSecureHeaders,
"enable-secure-headers",
false,
"Add sane security-related headers to every response",
)
err = flags.Parse(args) err = flags.Parse(args)
if err != nil { if err != nil {

54
internal/setting/app_test.go
View File

@ -70,12 +70,13 @@ func TestParseFlags(t *testing.T) {
City: "/city-path", City: "/city-path",
ASN: "/asn-path", ASN: "/asn-path",
}, },
TemplatePath: "", TemplatePath: "",
BindAddress: ":8080", BindAddress: ":8080",
TLSAddress: "", TLSAddress: "",
TLSCrtPath: "", TLSCrtPath: "",
TLSKeyPath: "", TLSKeyPath: "",
TrustedHeader: "", TrustedHeader: "",
EnableSecureHeaders: false,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
@ -89,12 +90,13 @@ func TestParseFlags(t *testing.T) {
City: "/city-path", City: "/city-path",
ASN: "/asn-path", ASN: "/asn-path",
}, },
TemplatePath: "", TemplatePath: "",
BindAddress: ":8001", BindAddress: ":8001",
TLSAddress: "", TLSAddress: "",
TLSCrtPath: "", TLSCrtPath: "",
TLSKeyPath: "", TLSKeyPath: "",
TrustedHeader: "", TrustedHeader: "",
EnableSecureHeaders: false,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
@ -111,12 +113,13 @@ func TestParseFlags(t *testing.T) {
City: "/city-path", City: "/city-path",
ASN: "/asn-path", ASN: "/asn-path",
}, },
TemplatePath: "", TemplatePath: "",
BindAddress: ":8080", BindAddress: ":8080",
TLSAddress: ":9000", TLSAddress: ":9000",
TLSCrtPath: "/crt-path", TLSCrtPath: "/crt-path",
TLSKeyPath: "/key-path", TLSKeyPath: "/key-path",
TrustedHeader: "", TrustedHeader: "",
EnableSecureHeaders: false,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
@ -126,19 +129,20 @@ func TestParseFlags(t *testing.T) {
{ {
[]string{ []string{
"-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path", "-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path",
"-trusted-header", "header", "-trusted-header", "header", "-enable-secure-headers",
}, },
settings{ settings{
GeodbPath: geodbPath{ GeodbPath: geodbPath{
City: "/city-path", City: "/city-path",
ASN: "/asn-path", ASN: "/asn-path",
}, },
TemplatePath: "", TemplatePath: "",
BindAddress: ":8080", BindAddress: ":8080",
TLSAddress: "", TLSAddress: "",
TLSCrtPath: "", TLSCrtPath: "",
TLSKeyPath: "", TLSKeyPath: "",
TrustedHeader: "header", TrustedHeader: "header",
EnableSecureHeaders: true,
Server: serverSettings{ Server: serverSettings{
ReadTimeout: 10 * time.Second, ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,