Use gin-gonic/contrib/secure instead of deprecated module

cmd/whatismyip.go

@@ -13,11 +13,12 @@ import (
 
 	"github.com/dcarrillo/whatismyip/internal/httputils"
 	"github.com/dcarrillo/whatismyip/internal/setting"
+	"github.com/gin-gonic/contrib/secure"
+
 	"github.com/dcarrillo/whatismyip/models"
 	"github.com/dcarrillo/whatismyip/router"
 
 	"github.com/gin-gonic/gin"
-	"github.com/unrolled/secure"
 )
 
 var (
@@ -140,27 +141,12 @@ func setupEngine() {
 	engine.Use(gin.LoggerWithFormatter(httputils.GetLogFormatter))
 	engine.Use(gin.Recovery())
 	if setting.App.EnableSecureHeaders {
-		engine.Use(addSecureHeaders())
+		engine.Use(secure.Secure(secure.Options{
+			BrowserXssFilter:   true,
+			ContentTypeNosniff: true,
+			FrameDeny:          true,
+		}))
 	}
 	_ = engine.SetTrustedProxies(nil)
 	engine.TrustedPlatform = setting.App.TrustedHeader
 }
-
-func addSecureHeaders() gin.HandlerFunc {
-	return func(c *gin.Context) {
-		err := secure.New(secure.Options{
-			BrowserXssFilter:   true,
-			ContentTypeNosniff: true,
-			FrameDeny:          true,
-		}).Process(c.Writer, c.Request)
-		if err != nil {
-			c.Abort()
-			return
-		}
-
-		// Avoid header rewrite if response is a redirection.
-		if status := c.Writer.Status(); status > 300 && status < 399 {
-			c.Abort()
-		}
-	}
-}

go.mod

@@ -3,11 +3,11 @@ module github.com/dcarrillo/whatismyip
 go 1.18
 
 require (
+	github.com/gin-gonic/contrib v0.0.0-20201101042839-6a891bf89f19
 	github.com/gin-gonic/gin v1.7.7
 	github.com/oschwald/maxminddb-golang v1.9.0
 	github.com/stretchr/testify v1.7.1
 	github.com/testcontainers/testcontainers-go v0.12.0
-	github.com/unrolled/secure v1.10.0
 )
 
 require (

go.sum

@@ -292,6 +292,8 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gin-gonic/contrib v0.0.0-20201101042839-6a891bf89f19 h1:J2LPEOcQmWaooBnBtUDV9KHFEnP5LYTZY03GiQ0oQBw=
+github.com/gin-gonic/contrib v0.0.0-20201101042839-6a891bf89f19/go.mod h1:iqneQ2Df3omzIVTkIfn7c1acsVnMGiSLn4XF5Blh3Yg=
 github.com/gin-gonic/gin v1.7.7 h1:3DoBmSbJbZAWqXJC3SLjAPfutPJJRN1U5pALB7EeTTs=
 github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -696,8 +698,6 @@ github.com/ugorji/go v1.2.7/go.mod h1:nF9osbDWLy6bDVv/Rtoh6QgnvNDpmCalQV5urGCCS6
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/ugorji/go/codec v1.2.7 h1:YPXUKf7fYbp/y8xloBqZOw2qaVggbfwMlI8WM3wZUJ0=
 github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY=
-github.com/unrolled/secure v1.10.0 h1:TBNP42z2AB+2pW9PR6vdbqhlQuv1iTeSVzK1qHjOBzA=
-github.com/unrolled/secure v1.10.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

integration-tests/integration_test.go

@@ -83,5 +83,8 @@ func TestContainerIntegration(t *testing.T) {
 		}
 
 		assert.NoError(t, json.Unmarshal(body, &router.JSONResponse{}))
+		assert.Equal(t, "DENY", resp.Header.Get("X-Frame-Options"))
+		assert.Equal(t, "nosniff", resp.Header.Get("X-Content-Type-Options"))
+		assert.Equal(t, "1; mode=block", resp.Header.Get("X-Xss-Protection"))
 	}
 }

router/generic_test.go

@@ -165,6 +165,7 @@ func TestClientPort(t *testing.T) {
 			assert.Equal(t, 200, w.Code)
 			assert.Equal(t, contentType.text, w.Header().Get("Content-Type"))
 			assert.Equal(t, tt.expected, w.Body.String())
+			t.Log(w.Header())
 		})
 	}
 }