ContainerImage.Pinniped/internal/httputil/securityheader/securityheader.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package securityheader implements an HTTP middleware for setting security-related response headers.
package securityheader

import "net/http"

// Wrap the provided http.Handler so it sets appropriate security-related response headers.
func Wrap(wrapped http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		h := w.Header()
		h.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
		h.Set("X-Frame-Options", "DENY")
		h.Set("X-XSS-Protection", "1; mode=block")
		h.Set("X-Content-Type-Options", "nosniff")
		h.Set("Referrer-Policy", "no-referrer")
		h.Set("X-DNS-Prefetch-Control", "off")
		h.Set("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate")
		h.Set("Pragma", "no-cache")
		h.Set("Expires", "0")
		wrapped.ServeHTTP(w, r)
	})
}
Implement the rest of an OIDC client CLI library. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-06 22:27:36 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// Package securityheader implements an HTTP middleware for setting security-related response headers.`
			`package securityheader`

			`import "net/http"`

			`// Wrap the provided http.Handler so it sets appropriate security-related response headers.`
			`func Wrap(wrapped http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`h := w.Header()`
			`h.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")`
			`h.Set("X-Frame-Options", "DENY")`
			`h.Set("X-XSS-Protection", "1; mode=block")`
			`h.Set("X-Content-Type-Options", "nosniff")`
			`h.Set("Referrer-Policy", "no-referrer")`
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-14 23:28:32 +00:00			`h.Set("X-DNS-Prefetch-Control", "off")`
Simplify securityheader package by merging header fields. From RFC2616 (https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2): > It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, > without changing the semantics of the message, by appending each subsequent field-value to the first, > each separated by a comma. This was correct before, but this simplifes a bit and shaves off a few bytes from the response. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-16 03:38:55 +00:00			`h.Set("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate")`
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-14 23:28:32 +00:00			`h.Set("Pragma", "no-cache")`
			`h.Set("Expires", "0")`
Fix a regression in securityheader package. The bug itself has to do with when headers are streamed to the client. Once a wrapped handler has sent any bytes to the `http.ResponseWriter`, the value of the map returned from `w.Header()` no longer matters for the response. The fix is fairly trivial, which is to add those response headers before invoking the wrapped handler. The existing unit test didn't catch this due to limitations in `httptest.NewRecorder()`. It is now replaced with a new test that runs a full HTTP test server, which catches the previous bug. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-16 03:34:34 +00:00			`wrapped.ServeHTTP(w, r)`
Implement the rest of an OIDC client CLI library. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-06 22:27:36 +00:00			`})`
			`}`