secure

package
v1.9.12 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 21, 2018 License: MIT Imports: 8 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

Default provides protection for your Gear app by setting various HTTP headers.

app.Use(secure.Default)

Equals:

app.Use(secure.DNSPrefetchControl(false))
app.Use(secure.HidePoweredBy())
app.Use(secure.IENoOpen())
app.Use(secure.NoSniff())
app.Use(secure.NoCache())
app.Use(secure.XSSFilter())
app.Use(secure.FrameGuard(FrameGuardActionSameOrigin))
app.Use(secure.StrictTransportSecurity(secure.StrictTransportSecurityOptions{
	MaxAge:            180 * 24 * time.Hour,
	IncludeSubDomains: true,
}))

Functions

func ContentSecurityPolicy

func ContentSecurityPolicy(directives CSPDirectives) gear.Middleware

ContentSecurityPolicy (CSP) sets the Content-Security-Policy header which can help protect against malicious injection of JavaScript, CSS, plugins, and more. See https://content-security-policy.com .

func DNSPrefetchControl

func DNSPrefetchControl(allow bool) gear.Middleware

DNSPrefetchControl controls browser DNS prefetching. And for potential privacy implications, it should be disabled. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching .

func FrameGuard

func FrameGuard(action FrameGuardAction, domains ...string) gear.Middleware

FrameGuard mitigates clickjacking attacks by setting the X-Frame-Options header. Because ALLOW-FROM option only allow one domain, so when action is FrameGuardActionAllowFrom, you should only give one domain at the second parameter, and others will be ignored. See https://en.wikipedia.org/wiki/Clickjacking and https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options .

func HidePoweredBy

func HidePoweredBy() gear.Middleware

HidePoweredBy removes the X-Powered-By header to make it slightly harder for attackers to see what potentially-vulnerable technology powers your site.

func IENoOpen

func IENoOpen() gear.Middleware

IENoOpen sets the X-Download-Options to prevent Internet Explorer from executing downloads in your site’s context. See https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ .

func NoCache added in v0.26.4

func NoCache() gear.Middleware

NoCache will (try to) abolish all client-side caching. It's possible that you've got bugs in an old HTML or JavaScript file, and with a cache, some users will be stuck with those old versions. See https://github.com/helmetjs/nocache See http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-cache-control . `s-max-age=0` equal to `Surrogate-Control: no-store`

func NoSniff

func NoSniff() gear.Middleware

NoSniff helps prevent browsers from trying to guess (“sniff”) the MIME type, which can have security implications. It does this by setting the X-Content-Type-Options header to nosniff. See https://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ .

func PublicKeyPinning

func PublicKeyPinning(options PublicKeyPinningOptions) gear.Middleware

PublicKeyPinning helps you set the Public-Key-Pins header to prevent person-in-the-middle attacks(HPKP). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning .

func SetReferrerPolicy

func SetReferrerPolicy(policy ReferrerPolicy) gear.Middleware

SetReferrerPolicy controls the behavior of the Referer header by setting the Referrer-Policy header. See https://www.w3.org/TR/referrer-policy/#referrer-policy-header .

func StrictTransportSecurity

func StrictTransportSecurity(options StrictTransportSecurityOptions) gear.Middleware

StrictTransportSecurity sets the Strict-Transport-Security header to keep your users on HTTPS(HSTS). See https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security .

func XSSFilter

func XSSFilter() gear.Middleware

XSSFilter sets the X-XSS-Protection header to "1; mode=block" to prevent reflected XSS attacks. Because on old versions of IE (<9), this will cause some even worse security vulnerabilities, so it will set the header to "0" for old IE. See https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ .

Types

type CSPDirectives

type CSPDirectives struct {
	DefaultSrc     []string `csp:"default-src"`
	ScriptSrc      []string `csp:"script-src"`
	StyleSrc       []string `csp:"style-src"`
	ImgSrc         []string `csp:"img-src"`
	ConnectSrc     []string `csp:"connect-src"`
	FontSrc        []string `csp:"font-src"`
	ObjectSrc      []string `csp:"object-src"`
	MediaSrc       []string `csp:"media-src"`
	FrameSrc       []string `csp:"frame-src"`
	ChildSrc       []string `csp:"child-src"`
	Sandbox        []string `csp:"sandbox"`
	FormAction     []string `csp:"form-action"`
	FrameAncestors []string `csp:"frame-ancestors"`
	PluginTypes    []string `csp:"plugin-types"`
	ReportURI      string   `csp:"report-uri"`
	ReportOnly     bool
}

CSPDirectives represents all valid directives that the "Content-Security-Policy" header is made up of.

type FrameGuardAction

type FrameGuardAction string

FrameGuardAction represents a possible option of the "X-Frame-Options" header.

const (
	FrameGuardActionDeny       FrameGuardAction = "DENY"
	FrameGuardActionSameOrigin FrameGuardAction = "SAMEORIGIN"
	FrameGuardActionAllowFrom  FrameGuardAction = "ALLOW-FROM"
)

"X-Frame-Options" header options.

type PublicKeyPinningOptions

type PublicKeyPinningOptions struct {
	MaxAge            time.Duration
	Sha256s           []string
	ReportURI         string
	IncludeSubdomains bool
	ReportOnly        bool
}

PublicKeyPinningOptions is public key pinning middleware options.

type ReferrerPolicy

type ReferrerPolicy string

ReferrerPolicy represents a possible policy of the "Referrer-Policy" header.

const (
	ReferrerPolicyNoReferrer                  ReferrerPolicy = "no-referrer"
	ReferrerPolicyWhenDowngrade               ReferrerPolicy = "no-referrer-when-downgrade"
	ReferrerPolicyStrictOrigin                ReferrerPolicy = "strict-origin"
	ReferrerPolicyStrictOriginWhenCrossOrigin ReferrerPolicy = "strict-origin-when-cross-origin"
	ReferrerPolicySameOrigin                  ReferrerPolicy = "same-origin"
	ReferrerPolicyOrigin                      ReferrerPolicy = "origin"
	ReferrerPolicyOriginWhenCrossOrigin       ReferrerPolicy = "origin-when-cross-origin"
	ReferrerPolicyUnsafeURL                   ReferrerPolicy = "unsafe-url"
)

Possible referrer policies.

type StrictTransportSecurityOptions

type StrictTransportSecurityOptions struct {
	MaxAge            time.Duration
	IncludeSubDomains bool
	Preload           bool
}

StrictTransportSecurityOptions is the StrictTransportSecurity middleware options.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL