app

package
v0.0.0-...-e3537d7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 12, 2019 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// AppVersion revel app version (ldflags)
	AppVersion string

	// BuildTime revel app build-time (ldflags)
	BuildTime string
)
View Source 
var HeaderFilter = func(c *revel.Controller, fc []revel.Filter) {
	c.Response.Out.Header().Add("X-Frame-Options", "SAMEORIGIN")
	c.Response.Out.Header().Add("X-XSS-Protection", "1; mode=block")
	c.Response.Out.Header().Add("X-Content-Type-Options", "nosniff")
	c.Response.Out.Header().Add("Referrer-Policy", "strict-origin-when-cross-origin")

	fc[0](c, fc[1:])
}

HeaderFilter adds common security headers There is a full implementation of a CSRF filter in https://github.com/revel/modules/tree/master/csrf

View Source 
var ValidateOrigin = func(c *revel.Controller, fc []revel.Filter) {
	originString := "https://ffxivprofit.com"

	switch c.Request.GetHttpHeader("Origin") {
	case "http://localhost:3000":

		originString = "http://localhost:3000"
	case "https://ffxivprofit.com":

		originString = "https://ffxivprofit.com"
	case "http://localhost:3001":

		originString = "http://localhost:3001"
	case "https://analytics.ffxivprofit.com":

		originString = "https://analytics.ffxivprofit.com"
	case "https://example.com":

		originString = "https://example.com"
	case "https://analytics.example.com":

		originString = "https://analytics.example.com"
	}

	APILog := models.EndpointRequest{
		ClientIP:      c.ClientIP,
		Endpoint:      c.Request.URL.String(),
		RequestedTime: time.Now(),
	}
	controllers.LogEndpointRequest(APILog)

	if c.Request.Method == "OPTIONS" {
		c.Response.Out.Header().Add("Access-Control-Allow-Origin", originString)
		c.Response.Out.Header().Add("Access-Control-Allow-Headers", "Content-Type,AccessToken,X-CSRF-Token, Authorization")
		c.Response.Out.Header().Add("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
		c.Response.Out.Header().Add("Access-Control-Expose-Headers", "Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type")
		c.Response.Out.Header().Add("Access-Control-Allow-Credentials", "true")
		c.Response.SetStatus(http.StatusNoContent)
	} else {
		c.Response.Out.Header().Add("Access-Control-Allow-Headers", "Origin, Content-Type, Accept")
		c.Response.Out.Header().Add("Access-Control-Allow-Credentials", "true")
		c.Response.Out.Header().Add("Access-Control-Allow-Origin", originString)
		c.Response.Out.Header().Add("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
		c.Response.Out.Header().Add("Content-Type", "application/json; charset=UTF-8")
		c.Response.Out.Header().Add("X-Frame-Options", "SAMEORIGIN")
		c.Response.Out.Header().Add("Vary", "Origin, Access-Control-Request-Method, Access-Control-Request-Headers")

		fc[0](c, fc[1:])
	}
}

ValidateOrigin enables CORS policy, and handles pre-flight requests

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
mongoDB
mongoDB/xivapi

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.