added secure http headers

passwall · May 3, 2020 · 1150faf · 1150faf
1 parent 82aff0b
commit 1150faf
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/internal/router/router.go b/internal/router/router.go
@@ -83,13 +83,15 @@ func (r *Router) initRoutes() {
 
 	n := negroni.Classic()
 	n.Use(negroni.HandlerFunc(CORS))
+	n.Use(negroni.HandlerFunc(Secure))
 
 	r.router.PathPrefix("/api").Handler(n.With(
 		negroni.HandlerFunc(Auth),
 		negroni.Wrap(apiRouter),
 	))
 
 	r.router.PathPrefix("/auth").Handler(n.With(
+
 		negroni.HandlerFunc(LimitHandler()),
 		negroni.Wrap(authRouter),
 	))

diff --git a/internal/router/secure.go b/internal/router/secure.go
@@ -0,0 +1,34 @@
+package router
+
+import (
+	"net/http"
+)
+
+// Secure ...
+func Secure(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	// X-XSS-Protection
+	w.Header().Add("X-XSS-Protection", "1; mode=block")
+
+	// HTTP Strict Transport Security
+	w.Header().Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
+
+	// X-Frame-Options
+	w.Header().Add("X-Frame-Options", "SAMEORIGIN")
+
+	// X-Content-Type-Options
+	w.Header().Add("X-Content-Type-Options", "nosniff")
+
+	// Content Security Policy
+	w.Header().Add("Content-Security-Policy", "default-src 'self';")
+
+	// X-Permitted-Cross-Domain-Policies
+	w.Header().Add("X-Permitted-Cross-Domain-Policies", "none")
+
+	// Referrer-Policy
+	w.Header().Add("Referrer-Policy", "no-referrer")
+
+	// Feature-Policy
+	w.Header().Add("Feature-Policy", "microphone 'none'; camera 'none'")
+
+	next(w, r)
+}