safehttp

package

v0.0.0-...-31110fa Latest Latest Go to latest Published: Jun 3, 2024 License: AGPL-3.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package safehttp can be used for making http requests when the hostname is not trusted (user inputs). It will avoid SSRF by ensuring that the IP address which will connect is not a private address, or loopback. It also checks that the port is 80 or 443, not anything else.

Index ¶

Variables

Constants ¶

This section is empty.

Variables ¶

View Source

var ClientWithKeepAlive = &http.Client{
	Transport: transportWithKeepAlive,
}

ClientWithKeepAlive is an http client that can be used to avoid SSRF. And it has keep-alive (contrary to safehttp.DefaultClient). The typical use case is moving a Cozy.

View Source

var DefaultClient = &http.Client{
	Timeout:   10 * time.Second,
	Transport: safeTransport,
}

DefaultClient is an http client that can be used instead of http.DefaultClient to avoid SSRF. It has the same default configuration, except it disabled keep-alive, as it is probably not useful in such cases.

Functions ¶

This section is empty.

Types ¶

This section is empty.

Source Files ¶

View all Source files

client.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL