Add support for HTTP Strict Transport Security header
This commit is contained in:
Frédéric Guillot
parent
9c42997209
commit
61bc012a62
4 changed files with 33 additions and 3 deletions
|
|
@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string {
|
||||||
return c.get("OAUTH2_PROVIDER", "")
|
return c.get("OAUTH2_PROVIDER", "")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// HasHSTS returns true if HTTP Strict Transport Security is enabled.
|
||||||
|
func (c *Config) HasHSTS() bool {
|
||||||
|
return c.get("DISABLE_HSTS", "") == ""
|
||||||
|
}
|
||||||
|
|
||||||
// NewConfig returns a new Config.
|
// NewConfig returns a new Config.
|
||||||
func NewConfig() *Config {
|
func NewConfig() *Config {
|
||||||
return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
|
return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
|
||||||
|
|
|
||||||
|
|
@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) {
|
||||||
t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
|
t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestHSTSOn(t *testing.T) {
|
||||||
|
os.Clearenv()
|
||||||
|
cfg := NewConfig()
|
||||||
|
|
||||||
|
if !cfg.HasHSTS() {
|
||||||
|
t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestHSTSOff(t *testing.T) {
|
||||||
|
os.Clearenv()
|
||||||
|
os.Setenv("DISABLE_HSTS", "1")
|
||||||
|
cfg := NewConfig()
|
||||||
|
|
||||||
|
if cfg.HasHSTS() {
|
||||||
|
t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {
|
||||||
|
|
||||||
ctx := NewContext(r, h.store, h.router, h.translator)
|
ctx := NewContext(r, h.store, h.router, h.translator)
|
||||||
request := NewRequest(r)
|
request := NewRequest(r)
|
||||||
response := NewResponse(w, r, h.template)
|
response := NewResponse(h.cfg, w, r, h.template)
|
||||||
language := ctx.UserLanguage()
|
language := ctx.UserLanguage()
|
||||||
|
|
||||||
if language != "" {
|
if language != "" {
|
||||||
|
|
|
||||||
|
|
@ -8,11 +8,13 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/miniflux/miniflux/config"
|
||||||
"github.com/miniflux/miniflux/template"
|
"github.com/miniflux/miniflux/template"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Response handles HTTP responses.
|
// Response handles HTTP responses.
|
||||||
type Response struct {
|
type Response struct {
|
||||||
|
cfg *config.Config
|
||||||
writer http.ResponseWriter
|
writer http.ResponseWriter
|
||||||
request *http.Request
|
request *http.Request
|
||||||
template *template.Engine
|
template *template.Engine
|
||||||
|
|
@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
|
||||||
// Even if the directive "frame-src" has been deprecated in Firefox,
|
// Even if the directive "frame-src" has been deprecated in Firefox,
|
||||||
// we keep it to stay compatible with other browsers.
|
// we keep it to stay compatible with other browsers.
|
||||||
r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
|
r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
|
||||||
|
|
||||||
|
if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
|
||||||
|
r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewResponse returns a new Response.
|
// NewResponse returns a new Response.
|
||||||
func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
|
func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
|
||||||
return &Response{writer: w, request: r, template: template}
|
return &Response{cfg: cfg, writer: w, request: r, template: template}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue