Documentation ¶
Overview ¶
Package internal provides a higher level wrapper around the standard library http.Server.
This wrapping allows for the addition of helper functions that can be used to trivialise the setup of a secure web server.
The default http.Server is close to being safe to expose directly to the internet but misses some important settings: Timeouts, TLS settings, and Response headers.
Creating a safe, modern, web server with this package is as easy as:
srv := server.New( server.Timeout(120 * time.Second), server.TLS(server.ModerniseTLS(&tls.Config{})), server.Handle(server.SecureHeaders(handler)), )
Additional configurations are also provided to simplify server creation in general.
Index ¶
- Constants
- func ChainMiddleware(mm ...func(http.Handler) http.Handler) func(http.Handler) http.Handler
- func CombinedLogFormatLogger(output io.Writer) func(http.Handler) http.Handler
- func ModerniseTLS(t *tls.Config) *tls.Config
- func SecureHeaders(next http.Handler) http.Handler
- type Option
- type Server
Constants ¶
const CSP = "default-src 'none';" +
"style-src 'self';" +
"img-src 'self';" +
"object-src 'self';" +
"base-uri 'none';" +
"form-action 'none';" +
"frame-ancestors 'none';" +
"plugin-types application/pdf"
CSP defines the Content-Security-Policy applied by the SecureHeaders function. The policy is very restrictive. Currently only allowing self-hosted CSS, images, and PDF documents. JavaScript, forms, and iframes are disallowed.
Variables ¶
This section is empty.
Functions ¶
func ChainMiddleware ¶
ChainMiddleware combines all passed middlewares into a single middleware function. Middlewares will be executed from the inside out in the order that they are passed in.
server.ChainMiddleware(middleware1, middleware2)(handler)
Is equivalent to:
middleware2(middleware1(handler))
func CombinedLogFormatLogger ¶
CombinedLogFormatLogger is a middleware generator function that will write an Apache Combined Log Format to the passed output Writer for all requests to the wrapped handler.
The definition of the Combined Log Format can be found at: https://httpd.apache.org/docs/2.4/logs.html#combined
func ModerniseTLS ¶
ModerniseTLS modifies a tls.Config to meet Mozilla's intermediate compatibility recommendations https://wiki.mozilla.org/Security/Server_Side_TLS.
The passed tls.Config is both modified and returned so that the function may optionally be used in a functional chain.
func SecureHeaders ¶
SecureHeaders is a http middleware for adding security headers to server responses. Applying the middleware will add the following header values, inspired by https://securityheaders.com, to responses from the wrapped handler.
Content-Security-Policy: [see CSP constant] Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Types ¶
type Option ¶
type Option func(*Server)
Option is a function that will apply some option to a Server object.
func ErrorLog ¶
ErrorLog creates a server.Option function that will apply the passed log.Logger to the server as the ErrorLog.
func Handle ¶
Handle creates a server.Option function that will set the passed http.Handler to the server as the Handler.