add some security HTTP headers (#5814)

This change adds some security headers like Content-Security-Policy.
It does not set the HSTS header because Content-Security-Policy prevents
mixed HTTP and HTTPS content and the server does not use cookies.
However it is a header which could be added later on.

It also moves some header added by #5805 from a vendored file
to a generic handler.

Fixes ##5813
This commit is contained in:
Andreas Auernhammer 2018-04-13 00:57:41 +02:00 committed by Dee Koder
parent 1f07545e2a
commit f60765ac93
3 changed files with 19 additions and 5 deletions

View File

@ -625,3 +625,19 @@ func (l rateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) {
l.handler.ServeHTTP(w, r)
}
type securityHeaderHandler struct {
handler http.Handler
}
func addSecurityHeaders(h http.Handler) http.Handler {
return securityHeaderHandler{handler: h}
}
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
header := w.Header()
header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks
header.Set("X-Frame-Options", "SAMEORIGIN") // Prevents against Clickjacking
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
s.handler.ServeHTTP(w, r)
}

View File

@ -59,6 +59,8 @@ func registerDistXLRouters(mux *router.Router, endpoints EndpointList) error {
// List of some generic handlers which are applied for all incoming requests.
var globalHandlers = []HandlerFunc{
// set HTTP security headers such as Content-Security-Policy.
addSecurityHeaders,
// Ratelimit the incoming requests using a token bucket algorithm
setRateLimitHandler,
// Validate all the incoming paths.

View File

@ -149,10 +149,6 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Prevents Internet Explorer from MIME-sniffing a response away
// from the declared content-type
w.Header().Set("x-content-type-options", "nosniff")
// Prevents against XSS Atacks
w.Header().Set("X-XSS-Protection", "\"1; mode=block\"")
// Prevents against Clickjacking
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
// Encode the response.
if errResult == nil {