From f60765ac93013a554af1b55660764b49cc9b3221 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Fri, 13 Apr 2018 00:57:41 +0200 Subject: [PATCH] add some security HTTP headers (#5814) This change adds some security headers like Content-Security-Policy. It does not set the HSTS header because Content-Security-Policy prevents mixed HTTP and HTTPS content and the server does not use cookies. However it is a header which could be added later on. It also moves some header added by #5805 from a vendored file to a generic handler. Fixes ##5813 --- cmd/generic-handlers.go | 16 ++++++++++++++++ cmd/routers.go | 2 ++ vendor/github.com/gorilla/rpc/v2/server.go | 6 +----- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go index b0e8186f6..ebff24fbe 100644 --- a/cmd/generic-handlers.go +++ b/cmd/generic-handlers.go @@ -625,3 +625,19 @@ func (l rateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) { l.handler.ServeHTTP(w, r) } + +type securityHeaderHandler struct { + handler http.Handler +} + +func addSecurityHeaders(h http.Handler) http.Handler { + return securityHeaderHandler{handler: h} +} + +func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + header := w.Header() + header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks + header.Set("X-Frame-Options", "SAMEORIGIN") // Prevents against Clickjacking + header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content) + s.handler.ServeHTTP(w, r) +} diff --git a/cmd/routers.go b/cmd/routers.go index 0e35421f1..4bf78ec94 100644 --- a/cmd/routers.go +++ b/cmd/routers.go @@ -59,6 +59,8 @@ func registerDistXLRouters(mux *router.Router, endpoints EndpointList) error { // List of some generic handlers which are applied for all incoming requests. var globalHandlers = []HandlerFunc{ + // set HTTP security headers such as Content-Security-Policy. + addSecurityHeaders, // Ratelimit the incoming requests using a token bucket algorithm setRateLimitHandler, // Validate all the incoming paths. diff --git a/vendor/github.com/gorilla/rpc/v2/server.go b/vendor/github.com/gorilla/rpc/v2/server.go index bdf140106..af9dbef2b 100644 --- a/vendor/github.com/gorilla/rpc/v2/server.go +++ b/vendor/github.com/gorilla/rpc/v2/server.go @@ -149,11 +149,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Prevents Internet Explorer from MIME-sniffing a response away // from the declared content-type w.Header().Set("x-content-type-options", "nosniff") - // Prevents against XSS Atacks - w.Header().Set("X-XSS-Protection", "\"1; mode=block\"") - // Prevents against Clickjacking - w.Header().Set("X-Frame-Options", "SAMEORIGIN") - + // Encode the response. if errResult == nil { codecReq.WriteResponse(w, reply.Interface())