helmet

package module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 3, 2022 License: MIT Imports: 3 Imported by: 5

README

Helmet Gopher

Helmet

Go Report Card

HTTP security headers middleware for Go(lang) inspired by HelmetJS.

Helmet helps you secure your Golang web applications by setting various HTTP security headers. It's not a silver bullet, but it can help!

Project is under active maintenance - even if there are no recent commits! Please submit an issue / bug request if you the library needs updating for any reason!

Quick Start

You can see more in the documentation.

go get github.com/goddtriffin/helmet

package main

import (
	"fmt"
	"log"
	"net/http"

	"github.com/goddtriffin/helmet"
)

func main() {
	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintln(w, "I love HelmetJS, I just wish there was a Go(lang) equivalent...")
	})

	helmet := helmet.Default()
	http.Handle("/", helmet.Secure(handler))

	log.Fatal(http.ListenAndServe(":8080", nil))
}

This code sample can be found in /examples/01-quick-start/.

How It Works

Helmet is a collection of 12 smaller middleware functions that set HTTP security response headers. Initializing via helmet.Default() will not include all of these middleware functions by default.

Module Default
Content-Security-Policy
X-Content-Type-Options nosniff
X-DNS-Prefetch-Control off
X-Download-Options noopen
Expect-CT
Feature-Policy
X-Frame-Options SAMEORIGIN
X-Permitted-Cross-Domain-Policies
X-Powered-By Removes the X-Powered-By header
Referrer-Policy
Strict-Transport-Security max-age=5184000; includeSubDomains (60 days)
X-XSS-Protection 1; mode=block

Credits

Made with 🤬 and 🥲 by Todd Everett Griffin

Helmet is open source under the MIT License.

Gopher image by Renee French, licensed under CC 3.0 license.

Helmet icon by Hand-Drawn Goods, licensed under CC 3.0 license.

Gopher + Helmet remix by Emily Wilson, licensed under CC 3.0 license.

Documentation

Index

Constants

View Source
const HeaderContentSecurityPolicy = "Content-Security-Policy"

HeaderContentSecurityPolicy is the Content-Security-Policy HTTP security header.

View Source
const HeaderExpectCT = "Expect-CT"

HeaderExpectCT is the Expect-CT HTTP security header.

View Source
const HeaderFeaturePolicy = "Feature-Policy"

HeaderFeaturePolicy is the Feature-Policy HTTP security header.

View Source
const HeaderReferrerPolicy = "Referrer-Policy"

HeaderReferrerPolicy is the Referrer-Policy HTTP security header.

View Source
const HeaderStrictTransportSecurity = "Strict-Transport-Security"

HeaderStrictTransportSecurity is the Strict-Transport-Security HTTP security header.

View Source
const HeaderXContentTypeOptions = "X-Content-Type-Options"

HeaderXContentTypeOptions is the X-Content-Type-Options HTTP header.

View Source
const HeaderXDNSPrefetchControl = "X-DNS-Prefetch-Control"

HeaderXDNSPrefetchControl is the X-DNS-Prefetch-Control HTTP header.

View Source
const HeaderXDownloadOptions = "X-Download-Options"

HeaderXDownloadOptions is the X-Download-Options HTTP header.

View Source
const HeaderXFrameOptions = "X-Frame-Options"

HeaderXFrameOptions is the X-Frame-Options HTTP security header.

View Source
const HeaderXPermittedCrossDomainPolicies = "X-Permitted-Cross-Domain-Policies"

HeaderXPermittedCrossDomainPolicies is the X-Permitted-Cross-Domain-Policies HTTP security header.

View Source
const HeaderXPoweredBy = "X-Powered-By"

HeaderXPoweredBy is the X-Powered-By HTTP security header.

View Source
const HeaderXXSSProtection = "X-XSS-Protection"

HeaderXXSSProtection is the X-XSS-Protection HTTP security header.

Variables

This section is empty.

Functions

This section is empty.

Types

type CSPDirective

type CSPDirective string

CSPDirective represents a Content-Security-Policy directive.

const (
	DirectiveChildSrc      CSPDirective = "child-src"
	DirectiveConnectSrc    CSPDirective = "connect-src"
	DirectiveDefaultSrc    CSPDirective = "default-src"
	DirectiveFontSrc       CSPDirective = "font-src"
	DirectiveFrameSrc      CSPDirective = "frame-src"
	DirectiveImgSrc        CSPDirective = "img-src"
	DirectiveManifestSrc   CSPDirective = "manifest-src"
	DirectiveMediaSrc      CSPDirective = "media-src"
	DirectiveObjectSrc     CSPDirective = "object-src"
	DirectivePrefetchSrc   CSPDirective = "prefetch-src"
	DirectiveScriptSrc     CSPDirective = "script-src"
	DirectiveScriptSrcAttr CSPDirective = "script-src-attr"
	DirectiveScriptSrcElem CSPDirective = "script-src-elem"
	DirectiveStyleSrc      CSPDirective = "style-src"
	DirectiveStyleSrcAttr  CSPDirective = "style-src-attr"
	DirectiveStyleSrcElem  CSPDirective = "style-src-elem"
	DirectiveWorkerSrc     CSPDirective = "worker-src"
)

List of all Content-Security-Policy Fetch directives.

const (
	DirectiveBaseURI CSPDirective = "base-uri"
	DirectiveSandbox CSPDirective = "sandbox"
)

List of all Content-Security-Policy Document directives.

const (
	DirectiveFormAction     CSPDirective = "form-action"
	DirectiveFrameAncestors CSPDirective = "frame-ancestors"
	DirectiveNavigateTo     CSPDirective = "navigate-to"
)

List of all Content-Security-Policy Navigation directives.

const (
	DirectiveReportTo            CSPDirective = "report-to"
	DeprecatedDirectiveReportURI CSPDirective = "report-uri" // use 'report-to' Content-Security-Policy directive instead
)

List of all Content-Security-Policy Reporting directives.

const (
	DirectiveRequireSriFor           CSPDirective = "require-sri-for"
	DirectiveRequireTrustedTypesFor  CSPDirective = "require-trusted-types-for"
	DirectiveTrustedTypes            CSPDirective = "trusted-types"
	DirectiveUpgradeInsecureRequests CSPDirective = "upgrade-insecure-requests"
)

List of all Content-Security-Policy Other directives.

const (
	DeprecatedDirectiveBlockAllMixedContent CSPDirective = "block-all-mixed-content"
	DeprecatedDirectivePluginTypes          CSPDirective = "plugin-types"
	DeprecatedDirectiveReferrer             CSPDirective = "referrer" // use 'Referrer-Policy' HTTP header instead
)

List of all Content-Security-Policy Deprecated directives.

type CSPSource

type CSPSource string

CSPSource represents a Content-Security-Policy source.

const (
	SourceWildcard             CSPSource = "*"
	SourceNone                 CSPSource = "'none'"
	SourceSelf                 CSPSource = "'self'"
	SourceHTTP                 CSPSource = "http:"
	SourceHTTPS                CSPSource = "https:"
	SourceData                 CSPSource = "data:"
	SourceMediastream          CSPSource = "mediastream:"
	SourceBlob                 CSPSource = "blob:"
	SourceFilesystem           CSPSource = "filesystem:"
	SourceUnsafeAllowRedirects CSPSource = "'unsafe-allow-redirects'"
	SourceUnsafeEval           CSPSource = "'unsafe-eval'"
	SourceUnsafeHashes         CSPSource = "'unsafe-hashes'"
	SourceUnsafeInline         CSPSource = "'unsafe-inline'"
	SourceStrictDynamic        CSPSource = "'strict-dynamic'"
	SourceReportSample         CSPSource = "'report-sample'"
)

List of all Content-Security-Policy sources.

const (
	DeprecatedReferrerNone                  CSPSource = "\"none\""
	DeprecatedReferrerNoReferrer            CSPSource = "\"no-referrer\""
	DeprecatedReferrerNoneWhenDowngrade     CSPSource = "\"none-when-downgrade\""
	DeprecatedReferrerOrigin                CSPSource = "\"origin\""
	DeprecatedReferrerOriginWhenCrossOrigin CSPSource = "\"origin-when-cross-origin\""
	DeprecatedReferrerUnsafeURL             CSPSource = "\"unsafe-url\""
)

List of all DeprecatedDirectiveReferrer values.

const (
	SandboxAllowDownloads                       CSPSource = "allow-downloads"
	SandboxAllowDownloadsWithoutUserActivation  CSPSource = "allow-downloads-without-user-activation"
	SandboxAllowForms                           CSPSource = "allow-forms"
	SandboxAllowModals                          CSPSource = "allow-modals"
	SandboxAllowOrientationLock                 CSPSource = "allow-orientation-lock"
	SandboxAllowPointerLock                     CSPSource = "allow-pointer-lock"
	SandboxAllowPopups                          CSPSource = "allow-popups"
	SandboxAllowPopupsToEscapeSandbox           CSPSource = "allow-popups-to-escape-sandbox"
	SandboxAllowPresentation                    CSPSource = "allow-presentation"
	SandboxAllowSameOrigin                      CSPSource = "allow-same-origin"
	SandboxAllowScripts                         CSPSource = "allow-scripts"
	SandboxAllowStorageAccessByUserActivatation CSPSource = "allow-storage-access-by-user-activation"
	SandboxAllowTopNavigation                   CSPSource = "allow-top-navigation"
	SandboxAllowTopNavigationByUserActivation   CSPSource = "allow-top-navigation-by-user-activation"
)

List of all DirectiveSandbox values.

const (
	TrustedTypesAllowDuplicates CSPSource = "allow-duplicates"
)

List of all DirectiveTrustedTypes values.

type ContentSecurityPolicy

type ContentSecurityPolicy struct {
	// contains filtered or unexported fields
}

ContentSecurityPolicy represents the Content-Security-Policy HTTP security header.

func EmptyContentSecurityPolicy

func EmptyContentSecurityPolicy() *ContentSecurityPolicy

EmptyContentSecurityPolicy creates a blank slate Content-Security-Policy.

func NewContentSecurityPolicy

func NewContentSecurityPolicy(policies map[CSPDirective][]CSPSource) *ContentSecurityPolicy

NewContentSecurityPolicy creates a new Content-Security-Policy.

func (*ContentSecurityPolicy) Add

func (csp *ContentSecurityPolicy) Add(directive CSPDirective, sources ...CSPSource)

Add adds a directive and its sources.

func (*ContentSecurityPolicy) Empty

func (csp *ContentSecurityPolicy) Empty() bool

Empty returns whether the Content-Security-Policy is empty.

func (*ContentSecurityPolicy) Header

func (csp *ContentSecurityPolicy) Header(w http.ResponseWriter)

Header adds the Content-Security-Policy HTTP security header to the given http.ResponseWriter.

func (*ContentSecurityPolicy) Remove

func (csp *ContentSecurityPolicy) Remove(directives ...CSPDirective)

Remove removes a directive and its sources.

func (*ContentSecurityPolicy) String

func (csp *ContentSecurityPolicy) String() string

String generates the Content-Security-Policy.

type ExpectCT

type ExpectCT struct {
	MaxAge    int    // number of seconds that the browser should cache and apply the received policy for
	Enforce   bool   // controls whether the browser should enforce the policy or treat it as report-only mode
	ReportURI string // specifies where the browser should send reports if it does not receive valid CT information
	// contains filtered or unexported fields
}

ExpectCT represents the Expect-CT HTTP security header.

func EmptyExpectCT

func EmptyExpectCT() *ExpectCT

EmptyExpectCT creates a blank slate Expect-CT.

func NewExpectCT

func NewExpectCT(maxAge int, enforce bool, reportURI string) *ExpectCT

NewExpectCT creates a new Expect-CT.

func (*ExpectCT) Empty

func (ect *ExpectCT) Empty() bool

Empty returns whether the Expect-CT is empty.

func (*ExpectCT) Header

func (ect *ExpectCT) Header(w http.ResponseWriter)

Header adds the Expect-CT HTTP security header to the given http.ResponseWriter.

func (*ExpectCT) String

func (ect *ExpectCT) String() string

type ExpectCTDirective

type ExpectCTDirective string

ExpectCTDirective represents an Expect-CT directive.

const DirectiveEnforce ExpectCTDirective = "enforce"

DirectiveEnforce is the Expect-CT Enforce directive.

func ExpectCTDirectiveMaxAge

func ExpectCTDirectiveMaxAge(maxAge int) ExpectCTDirective

ExpectCTDirectiveMaxAge is the Expect-CT MaxAge directive.

func ExpectCTDirectiveReportURI

func ExpectCTDirectiveReportURI(reportURI string) ExpectCTDirective

ExpectCTDirectiveReportURI is the Expect-CT ReportURI directive.

type FeaturePolicy

type FeaturePolicy struct {
	// contains filtered or unexported fields
}

FeaturePolicy represents the Feature-Policy HTTP security header.

func EmptyFeaturePolicy

func EmptyFeaturePolicy() *FeaturePolicy

EmptyFeaturePolicy creates a blank slate Feature-Policy.

func NewFeaturePolicy

func NewFeaturePolicy(policies map[FeaturePolicyDirective][]FeaturePolicyOrigin) *FeaturePolicy

NewFeaturePolicy creates a new Feature-Policy.

func (*FeaturePolicy) Add

func (fp *FeaturePolicy) Add(directive FeaturePolicyDirective, origins ...FeaturePolicyOrigin)

Add adds a directive and its origins.

func (*FeaturePolicy) Empty

func (fp *FeaturePolicy) Empty() bool

Empty returns whether the Feature-Policy is empty.

func (*FeaturePolicy) Header

func (fp *FeaturePolicy) Header(w http.ResponseWriter)

Header adds the Feature-Policy HTTP security header to the given http.ResponseWriter.

func (*FeaturePolicy) Remove

func (fp *FeaturePolicy) Remove(directives ...FeaturePolicyDirective)

Remove removes a directive and its origins.

func (*FeaturePolicy) String

func (fp *FeaturePolicy) String() string

String generates the Feature-Policy.

type FeaturePolicyDirective

type FeaturePolicyDirective string

FeaturePolicyDirective represents a Feature-Policy directive.

const (
	DirectiveAccelerometer               FeaturePolicyDirective = "accelerometer"
	DirectiveAmbientLightSensor          FeaturePolicyDirective = "ambient-light-sensor"
	DirectiveAutoplay                    FeaturePolicyDirective = "autoplay"
	DirectiveBattery                     FeaturePolicyDirective = "battery"
	DirectiveCamera                      FeaturePolicyDirective = "camera"
	DirectiveDisplayCapture              FeaturePolicyDirective = "display-capture"
	DirectiveDocumentDomain              FeaturePolicyDirective = "document-domain"
	DirectiveEncryptedMedia              FeaturePolicyDirective = "encrypted-media"
	DirectiveExecutionWhileNotRendered   FeaturePolicyDirective = "execution-while-not-rendered"
	DirectiveExecutionWhileOutOfViewport FeaturePolicyDirective = "execution-while-out-of-viewport"
	DirectiveFullscreen                  FeaturePolicyDirective = "fullscreen"
	DirectiveGamepad                     FeaturePolicyDirective = "gamepad"
	DirectiveGeolocation                 FeaturePolicyDirective = "geolocation"
	DirectiveGyroscope                   FeaturePolicyDirective = "gyroscope"
	DirectiveMagnetometer                FeaturePolicyDirective = "magnetometer"
	DirectiveMicrophone                  FeaturePolicyDirective = "microphone"
	DirectiveMidi                        FeaturePolicyDirective = "midi"
	DirectiveNavigationOverride          FeaturePolicyDirective = "navigation-override"
	DirectiveOversizedImages             FeaturePolicyDirective = "oversized-images"
	DirectivePayment                     FeaturePolicyDirective = "payment"
	DirectivePictureInPicture            FeaturePolicyDirective = "picture-in-picture"
	DirectivePublicKeyCredentialsGet     FeaturePolicyDirective = "publickey-credentials-get"
	DirectiveSpeakerSelection            FeaturePolicyDirective = "speaker-selection"
	DirectiveSyncXHR                     FeaturePolicyDirective = "sync-xhr"
	DirectiveUSB                         FeaturePolicyDirective = "usb"
	DirectiveScreenWakeLock              FeaturePolicyDirective = "screen-wake-lock"
	DirectiveWebShare                    FeaturePolicyDirective = "web-share"
	DirectiveXRSpacialTracking           FeaturePolicyDirective = "xr-spatial-tracking"
)

List of all Feature-Policy directives.

const (
	NonStandardDirectiveLayoutAnimations   FeaturePolicyDirective = "layout-animations"
	NonStandardDirectiveLegacyImageFormats FeaturePolicyDirective = "legacy-image-formats"
	NonStandardDirectiveOversizedImages    FeaturePolicyDirective = "oversized-images"
	NonStandardDirectiveUnoptimizedImages  FeaturePolicyDirective = "unoptimized-images"
	NonStandardDirectiveUnsizedMedia       FeaturePolicyDirective = "unsized-media"
)

deprecated

type FeaturePolicyOrigin

type FeaturePolicyOrigin string

FeaturePolicyOrigin represents a Feature-Policy origin.

const (
	OriginWildcard FeaturePolicyOrigin = "*"
	OriginSelf     FeaturePolicyOrigin = "'self'"
	OriginSrc      FeaturePolicyOrigin = "'src'"
	OriginNone     FeaturePolicyOrigin = "'none'"
)

List of all Feature-Policy origins.

type HSTSDirective

type HSTSDirective string

HSTSDirective represents a Strict-Transport-Security directive.

const (
	DirectiveIncludeSubDomains HSTSDirective = "includeSubDomains"
	DirectivePreload           HSTSDirective = "preload"
)

List of all Strict-Transport-Security directives.

func HSTSDirectiveMaxAge

func HSTSDirectiveMaxAge(maxAge int) HSTSDirective

HSTSDirectiveMaxAge is the Strict-Transport-Security MaxAge directive.

type Helmet

type Helmet struct {
	ContentSecurityPolicy         *ContentSecurityPolicy
	XContentTypeOptions           XContentTypeOptions
	XDNSPrefetchControl           XDNSPrefetchControl
	XDownloadOptions              XDownloadOptions
	ExpectCT                      *ExpectCT
	FeaturePolicy                 *FeaturePolicy
	XFrameOptions                 XFrameOptions
	XPermittedCrossDomainPolicies XPermittedCrossDomainPolicies
	XPoweredBy                    *XPoweredBy
	ReferrerPolicy                *ReferrerPolicy
	StrictTransportSecurity       *StrictTransportSecurity
	XXSSProtection                *XXSSProtection
}

Helmet is a HTTP security middleware for Go(lang) inspired by HelmetJS for Express.js.

func Default

func Default() *Helmet

Default creates a new Helmet with default settings.

func Empty

func Empty() *Helmet

Empty creates a new Helmet.

func (*Helmet) Secure

func (h *Helmet) Secure(next http.Handler) http.Handler

Secure is the middleware handler.

type ReferrerPolicy

type ReferrerPolicy struct {
	// contains filtered or unexported fields
}

ReferrerPolicy represents the Referrer-Policy HTTP security header.

func EmptyReferrerPolicy

func EmptyReferrerPolicy() *ReferrerPolicy

EmptyReferrerPolicy creates a blank slate Referrer-Policy.

func NewReferrerPolicy

func NewReferrerPolicy(directives ...ReferrerPolicyDirective) *ReferrerPolicy

NewReferrerPolicy creates a new Referrer-Policy.

func (*ReferrerPolicy) Empty

func (rp *ReferrerPolicy) Empty() bool

Empty returns whether the Referrer-Policy is empty.

func (*ReferrerPolicy) Header

func (rp *ReferrerPolicy) Header(w http.ResponseWriter)

Header adds the Referrer-Policy HTTP header to the given http.ResponseWriter.

func (*ReferrerPolicy) String

func (rp *ReferrerPolicy) String() string

type ReferrerPolicyDirective

type ReferrerPolicyDirective string

ReferrerPolicyDirective represents a Referrer-Policy directive.

const (
	DirectiveNoReferrer                  ReferrerPolicyDirective = "no-referrer"
	DirectiveNoReferrerWhenDowngrade     ReferrerPolicyDirective = "no-referrer-when-downgrade"
	DirectiveOrigin                      ReferrerPolicyDirective = "origin"
	DirectiveOriginWhenCrossOrigin       ReferrerPolicyDirective = "origin-when-cross-origin"
	DirectiveSmaeOrigin                  ReferrerPolicyDirective = "same-origin"
	DirectiveStrictOrigin                ReferrerPolicyDirective = "strict-origin"
	DirectiveStrictOriginWhenCrossOrigin ReferrerPolicyDirective = "strict-origin-when-cross-origin"
	DirectiveUnsafeURL                   ReferrerPolicyDirective = "unsafe-url"
)

X-Frame-Options options.

type StrictTransportSecurity

type StrictTransportSecurity struct {
	// The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
	MaxAge int

	// If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
	IncludeSubDomains bool

	// After successfully submitting your domain to Google maintained HSTS preload service, browsers will never connect to your domain using an insecure connection.
	Preload bool
	// contains filtered or unexported fields
}

StrictTransportSecurity represents the Strict-Transport-Security HTTP security header.

func EmptyStrictTransportSecurity

func EmptyStrictTransportSecurity() *StrictTransportSecurity

EmptyStrictTransportSecurity creates a blank slate Strict-Transport-Security.

func NewStrictTransportSecurity

func NewStrictTransportSecurity(maxAge int, includeSubDomains bool, preload bool) *StrictTransportSecurity

NewStrictTransportSecurity creates a new Strict-Transport-Security.

func (*StrictTransportSecurity) Empty

func (hsts *StrictTransportSecurity) Empty() bool

Empty returns whether the Strict-Transport-Security is empty.

func (*StrictTransportSecurity) Header

Header adds the Strict-Transport-Security HTTP security header to the given http.ResponseWriter.

func (*StrictTransportSecurity) String

func (hsts *StrictTransportSecurity) String() string

type XContentTypeOptions

type XContentTypeOptions string

XContentTypeOptions represents the X-Content-Type-Options HTTP security header.

const XContentTypeOptionsNoSniff XContentTypeOptions = "nosniff"

XContentTypeOptionsNoSniff represents the X-Content-Type-Options No Sniff option.

func (XContentTypeOptions) Empty

func (xcto XContentTypeOptions) Empty() bool

Empty returns whether the X-Content-Type-Options is empty.

func (XContentTypeOptions) Header

func (xcto XContentTypeOptions) Header(w http.ResponseWriter)

Header adds the X-Content-Type-Options HTTP security header to the given http.ResponseWriter.

func (XContentTypeOptions) String

func (xcto XContentTypeOptions) String() string

type XDNSPrefetchControl

type XDNSPrefetchControl string

XDNSPrefetchControl represents the X-DNS-Prefetch-Control HTTP security header.

const (
	XDNSPrefetchControlOn  XDNSPrefetchControl = "on"
	XDNSPrefetchControlOff XDNSPrefetchControl = "off"
)

X-DNS-Prefetch-Control options.

func (XDNSPrefetchControl) Empty

func (dns XDNSPrefetchControl) Empty() bool

Empty returns whether the X-DNS-Prefetch-Control is empty.

func (XDNSPrefetchControl) Header

func (dns XDNSPrefetchControl) Header(w http.ResponseWriter)

Header adds the X-DNS-Prefetch-Control HTTP security header to the given http.ResponseWriter.

func (XDNSPrefetchControl) String

func (dns XDNSPrefetchControl) String() string

type XDownloadOptions

type XDownloadOptions string

XDownloadOptions represents the X-Download-Options HTTP security header.

const XDownloadOptionsNoOpen XDownloadOptions = "noopen"

XDownloadOptionsNoOpen represents the X-Download-Options No Open option.

func (XDownloadOptions) Empty

func (xdo XDownloadOptions) Empty() bool

Empty returns whether the X-Download-Options is empty.

func (XDownloadOptions) Header

func (xdo XDownloadOptions) Header(w http.ResponseWriter)

Header adds the X-Download-Options HTTP security header to the given http.ResponseWriter.

func (XDownloadOptions) String

func (xdo XDownloadOptions) String() string

type XFrameOptions

type XFrameOptions string

XFrameOptions represents the X-Frame-Options HTTP security header.

const (
	XFrameOptionsDeny       XFrameOptions = "DENY"
	XFrameOptionsSameOrigin XFrameOptions = "SAMEORIGIN"
)

X-Frame-Options options.

func (XFrameOptions) Empty

func (xfo XFrameOptions) Empty() bool

Empty returns whether the X-Frame-Options is empty.

func (XFrameOptions) Header

func (xfo XFrameOptions) Header(w http.ResponseWriter)

Header adds the X-Frame-Options HTTP header to the given http.ResponseWriter.

func (XFrameOptions) String

func (xfo XFrameOptions) String() string

type XPermittedCrossDomainPolicies

type XPermittedCrossDomainPolicies string

XPermittedCrossDomainPolicies represents the X-Permitted-Cross-Domain-Policies HTTP security header.

const (
	PermittedCrossDomainPoliciesNone          XPermittedCrossDomainPolicies = "none"
	PermittedCrossDomainPoliciesMasterOnly    XPermittedCrossDomainPolicies = "master-only"
	PermittedCrossDomainPoliciesByContentType XPermittedCrossDomainPolicies = "by-content-type"
	PermittedCrossDomainPoliciesByFTPFilename XPermittedCrossDomainPolicies = "by-ftp-filename"
	PermittedCrossDomainPoliciesAll           XPermittedCrossDomainPolicies = "all"
)

X-Permitted-Cross-Domain-Policies options.

func (XPermittedCrossDomainPolicies) Empty

func (cdp XPermittedCrossDomainPolicies) Empty() bool

Empty returns whether the X-Permitted-Cross-Domain-Policies is empty.

func (XPermittedCrossDomainPolicies) Header

Header adds the X-DNS-Prefetch-Control HTTP security header to the given http.ResponseWriter.

func (XPermittedCrossDomainPolicies) String

type XPoweredBy

type XPoweredBy struct {
	Hide        bool
	Replacement string
}

XPoweredBy represents the X-Powered-By HTTP security header.

func EmptyXPoweredBy

func EmptyXPoweredBy() *XPoweredBy

EmptyXPoweredBy creates a blank slate XPoweredBy.

func NewXPoweredBy

func NewXPoweredBy(hide bool, replacement string) *XPoweredBy

NewXPoweredBy creates a new XPoweredBy.

func (XPoweredBy) Empty

func (xpb XPoweredBy) Empty() bool

Empty returns whether the X-Powered-By is empty.

func (XPoweredBy) Header

func (xpb XPoweredBy) Header(w http.ResponseWriter)

Header adds the X-Powered-By HTTP security header to the given http.ResponseWriter.

type XXSSProtection

type XXSSProtection struct {
	XSSFiltering bool
	Mode         XXSSProtectionDirective
	ReportURI    string
	// contains filtered or unexported fields
}

XXSSProtection represents the X-XSS-Protection HTTP security header.

func EmptyXXSSProtection

func EmptyXXSSProtection() *XXSSProtection

EmptyXXSSProtection creates a blank slate X-XSS-Protection.

func NewXXSSProtection

func NewXXSSProtection(xssFiltering bool, mode XXSSProtectionDirective, reportURI string) *XXSSProtection

NewXXSSProtection creates a new X-XSS-Protection.

func (*XXSSProtection) Empty

func (xssp *XXSSProtection) Empty() bool

Empty returns whether the X-XSS-Protection is empty.

func (*XXSSProtection) Header

func (xssp *XXSSProtection) Header(w http.ResponseWriter)

Header adds the X-XSS-Protection HTTP security header to the given http.ResponseWriter.

func (*XXSSProtection) String

func (xssp *XXSSProtection) String() string

type XXSSProtectionDirective

type XXSSProtectionDirective string

XXSSProtectionDirective represents an X-XSS-Protection directive.

const DirectiveModeBlock XXSSProtectionDirective = "mode=block"

DirectiveModeBlock is the X-XSS-Protection mode=block directive.

func XXSSProtectionDirectiveReportURI

func XXSSProtectionDirectiveReportURI(reportURI string) XXSSProtectionDirective

XXSSProtectionDirectiveReportURI is the X-XSS-Protection ReportURI directive.

func XXSSProtectionDirectiveXSSFiltering

func XXSSProtectionDirectiveXSSFiltering(xssFiltering bool) XXSSProtectionDirective

XXSSProtectionDirectiveXSSFiltering is the X-XSS-Protection XSSFiltering directive.

Directories

Path Synopsis
examples

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL