2021-06-24 18:04:53 +00:00
|
|
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
2020-10-06 22:27:36 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package securityheader implements an HTTP middleware for setting security-related response headers.
|
|
|
|
package securityheader
|
|
|
|
|
2021-06-24 18:04:53 +00:00
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
)
|
2020-10-06 22:27:36 +00:00
|
|
|
|
|
|
|
// Wrap the provided http.Handler so it sets appropriate security-related response headers.
|
|
|
|
func Wrap(wrapped http.Handler) http.Handler {
|
2021-06-24 18:04:53 +00:00
|
|
|
return WrapWithCustomCSP(wrapped, "default-src 'none'; frame-ancestors 'none'")
|
|
|
|
}
|
|
|
|
|
|
|
|
func WrapWithCustomCSP(wrapped http.Handler, cspHeader string) http.Handler {
|
2020-10-06 22:27:36 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
h := w.Header()
|
2021-06-24 18:04:53 +00:00
|
|
|
h.Set("Content-Security-Policy", cspHeader)
|
2020-10-06 22:27:36 +00:00
|
|
|
h.Set("X-Frame-Options", "DENY")
|
|
|
|
h.Set("X-XSS-Protection", "1; mode=block")
|
|
|
|
h.Set("X-Content-Type-Options", "nosniff")
|
|
|
|
h.Set("Referrer-Policy", "no-referrer")
|
2020-12-14 23:28:32 +00:00
|
|
|
h.Set("X-DNS-Prefetch-Control", "off")
|
2020-12-16 03:38:55 +00:00
|
|
|
h.Set("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate")
|
2020-12-14 23:28:32 +00:00
|
|
|
h.Set("Pragma", "no-cache")
|
|
|
|
h.Set("Expires", "0")
|
2020-12-16 03:34:34 +00:00
|
|
|
wrapped.ServeHTTP(w, r)
|
2020-10-06 22:27:36 +00:00
|
|
|
})
|
|
|
|
}
|