Add optional secure headers to responses

2022-04-02 18:10:48 +02:00 · 2022-04-02 18:10:48 +02:00 · 12da27ddab
parent aae2e08240
commit 12da27ddab
4 changed files with 69 additions and 34 deletions
--- a/cmd/whatismyip.go
+++ b/cmd/whatismyip.go
@ -17,6 +17,7 @@ import (
 	"github.com/dcarrillo/whatismyip/router"

 	"github.com/gin-gonic/gin"
+	"github.com/unrolled/secure"
 )

 var (
@ -138,6 +139,28 @@ func setupEngine() {
 	engine = gin.New()
 	engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter))
 	engine.Use(gin.Recovery())
+	if setting.App.EnableSecureHeaders {
+		engine.Use(addSecureHeaders())
+	}
 	_ = engine.SetTrustedProxies(nil)
 	engine.TrustedPlatform = setting.App.TrustedHeader
 }
+
+func addSecureHeaders() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		err := secure.New(secure.Options{
+			BrowserXssFilter:   true,
+			ContentTypeNosniff: true,
+			FrameDeny:          true,
+		}).Process(c.Writer, c.Request)
+		if err != nil {
+			c.Abort()
+			return
+		}
+
+		// Avoid header rewrite if response is a redirection.
+		if status := c.Writer.Status(); status > 300 && status < 399 {
+			c.Abort()
+		}
+	}
+}
--- a/integration-tests/integration_test.go
+++ b/integration-tests/integration_test.go
@ -34,6 +34,7 @@ func buildContainer() testcontainers.ContainerRequest {
 			"-tls-crt", "/tmp/server.pem",
 			"-tls-key", "/tmp/server.key",
 			"-trusted-header", "X-Real-IP",
+			"-enable-secure-headers",
 		},
 		ExposedPorts: []string{"8000:8000", "8001:8001"},
 		WaitingFor:   wait.ForLog("Starting TLS server listening on :8001"),
--- a/internal/setting/app.go
+++ b/internal/setting/app.go
@ -27,6 +27,7 @@ type settings struct {
 	TLSCrtPath          string
 	TLSKeyPath          string
 	TrustedHeader       string
+	EnableSecureHeaders bool
 	Server              serverSettings
 	version             bool
 }
@ -74,6 +75,12 @@ func Setup(args []string) (output string, err error) {
 		"Trusted request header for remote IP (e.g. X-Real-IP)",
 	)
 	flags.BoolVar(&App.version, "version", false, "Output version information and exit")
+	flags.BoolVar(
+		&App.EnableSecureHeaders,
+		"enable-secure-headers",
+		false,
+		"Add sane security-related headers to every response",
+	)

 	err = flags.Parse(args)
 	if err != nil {
--- a/internal/setting/app_test.go
+++ b/internal/setting/app_test.go
@ -76,6 +76,7 @@ func TestParseFlags(t *testing.T) {
 				TLSCrtPath:          "",
 				TLSKeyPath:          "",
 				TrustedHeader:       "",
+				EnableSecureHeaders: false,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,
@ -95,6 +96,7 @@ func TestParseFlags(t *testing.T) {
 				TLSCrtPath:          "",
 				TLSKeyPath:          "",
 				TrustedHeader:       "",
+				EnableSecureHeaders: false,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,
@ -117,6 +119,7 @@ func TestParseFlags(t *testing.T) {
 				TLSCrtPath:          "/crt-path",
 				TLSKeyPath:          "/key-path",
 				TrustedHeader:       "",
+				EnableSecureHeaders: false,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,
@ -126,7 +129,7 @@ func TestParseFlags(t *testing.T) {
 		{
 			[]string{
 				"-geoip2-city", "/city-path", "-geoip2-asn", "/asn-path",
-				"-trusted-header", "header",
+				"-trusted-header", "header", "-enable-secure-headers",
 			},
 			settings{
 				GeodbPath: geodbPath{
@ -139,6 +142,7 @@ func TestParseFlags(t *testing.T) {
 				TLSCrtPath:          "",
 				TLSKeyPath:          "",
 				TrustedHeader:       "header",
+				EnableSecureHeaders: true,
 				Server: serverSettings{
 					ReadTimeout:  10 * time.Second,
 					WriteTimeout: 10 * time.Second,