MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

add some security HTTP headers (#5814)

Browse Source 
This change adds some security headers like Content-Security-Policy.
It does not set the HSTS header because Content-Security-Policy prevents
mixed HTTP and HTTPS content and the server does not use cookies.
However it is a header which could be added later on.

It also moves some header added by #5805 from a vendored file
to a generic handler.

Fixes ##5813
This commit is contained in:
Andreas Auernhammer 2018-04-13 00:57:41 +02:00 committed by Dee Koder
parent 1f07545e2a
commit f60765ac93
3 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/generic-handlers.go
View File

@ -625,3 +625,19 @@ func (l rateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) {
l.handler.ServeHTTP(w, r) l.handler.ServeHTTP(w, r)
} }
type securityHeaderHandler struct {
handler http.Handler
}
func addSecurityHeaders(h http.Handler) http.Handler {
return securityHeaderHandler{handler: h}
}
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
header := w.Header()
header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks
header.Set("X-Frame-Options", "SAMEORIGIN") // Prevents against Clickjacking
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
s.handler.ServeHTTP(w, r)
}

2
cmd/routers.go
View File

@ -59,6 +59,8 @@ func registerDistXLRouters(mux *router.Router, endpoints EndpointList) error {
// List of some generic handlers which are applied for all incoming requests. // List of some generic handlers which are applied for all incoming requests.
var globalHandlers = []HandlerFunc{ var globalHandlers = []HandlerFunc{
// set HTTP security headers such as Content-Security-Policy.
addSecurityHeaders,
// Ratelimit the incoming requests using a token bucket algorithm // Ratelimit the incoming requests using a token bucket algorithm
setRateLimitHandler, setRateLimitHandler,
// Validate all the incoming paths. // Validate all the incoming paths.

6
vendor/github.com/gorilla/rpc/v2/server.go generated vendored
View File

@ -149,11 +149,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Prevents Internet Explorer from MIME-sniffing a response away // Prevents Internet Explorer from MIME-sniffing a response away
// from the declared content-type // from the declared content-type
w.Header().Set("x-content-type-options", "nosniff") w.Header().Set("x-content-type-options", "nosniff")
// Prevents against XSS Atacks
w.Header().Set("X-XSS-Protection", "\"1; mode=block\"")
// Prevents against Clickjacking
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
// Encode the response. // Encode the response.
if errResult == nil { if errResult == nil {
codecReq.WriteResponse(w, reply.Interface()) codecReq.WriteResponse(w, reply.Interface())