Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Secure Headers #415

Merged
merged 5 commits into from
Aug 28, 2020
Merged

Secure Headers #415

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d1206dc
Add common security settings handler
icco Aug 28, 2020
cbf62e7
remove old hsts middleware
icco Aug 28, 2020
118158a
go mod update
icco Aug 28, 2020
d658a22
change to a bool
icco Aug 28, 2020
5037eee
lint fix
icco Aug 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions cmd/adminapi/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,11 +117,8 @@ func realMain(ctx context.Context) error {
}
rateLimit := httplimiter.Handle

// Install HSTS headers in production
if !config.DevMode {
addHSTS := middleware.AddHSTS(ctx)
r.Use(addHSTS)
}
// Install common security headers
r.Use(middleware.SecureHeaders(ctx, config.DevMode, "json"))

// Create the renderer
h, err := render.New(ctx, "", config.DevMode)
Expand Down
7 changes: 2 additions & 5 deletions cmd/apiserver/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,11 +130,8 @@ func realMain(ctx context.Context) error {
}
rateLimit := httplimiter.Handle

// Install HSTS headers in production
if !config.DevMode {
addHSTS := middleware.AddHSTS(ctx)
r.Use(addHSTS)
}
// Install common security headers
r.Use(middleware.SecureHeaders(ctx, config.DevMode, "json"))

// Create the renderer
h, err := render.New(ctx, "", config.DevMode)
Expand Down
7 changes: 2 additions & 5 deletions cmd/server/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,11 +160,8 @@ func realMain(ctx context.Context) error {
return fmt.Errorf("failed to create limiter middleware: %w", err)
}

// Install HSTS headers in production
if !config.DevMode {
addHSTS := middleware.AddHSTS(ctx)
r.Use(addHSTS)
}
// Install common security headers
r.Use(middleware.SecureHeaders(ctx, config.DevMode, "html"))

// Install the CSRF protection middleware.
configureCSRF := middleware.ConfigureCSRF(ctx, config, h)
Expand Down
1 change: 1 addition & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ require (
github.com/sethvargo/go-signalcontext v0.1.0
github.com/stretchr/objx v0.3.0 // indirect
github.com/stretchr/testify v1.6.1 // indirect
github.com/unrolled/secure v1.0.8
go.opencensus.io v0.22.4
go.uber.org/zap v1.15.0
golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de // indirect
Expand Down
4 changes: 4 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1312,8 +1312,12 @@ github.com/ultraware/funlen v0.0.2 h1:Av96YVBwwNSe4MLR7iI/BIa3VyI7/djnto/pK3Uxbd
github.com/ultraware/funlen v0.0.2/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA=
github.com/ultraware/whitespace v0.0.4 h1:If7Va4cM03mpgrNH9k49/VOicWpGoG70XPBFFODYDsg=
github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA=
github.com/unrolled/secure v1.0.8 h1:JaMvKbe4CRt8oyxVXn+xY+6jlqd7pyJNSVkmsBxxQsM=
github.com/unrolled/secure v1.0.8/go.mod h1:fO+mEan+FLB0CdEnHf6Q4ZZVNqG+5fuLFnP8p0BXDPI=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc=
github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
github.com/uudashr/gocognit v0.0.0-20190926065955-1655d0de0517 h1:ChMKTho2hWKpks/nD/FL2KqM1wuVt62oJeiE8+eFpGs=
github.com/uudashr/gocognit v0.0.0-20190926065955-1655d0de0517/go.mod h1:j44Ayx2KW4+oB6SWMv8KsmHzZrOInQav7D3cQMJ5JUM=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
Expand Down
53 changes: 0 additions & 53 deletions pkg/controller/middleware/hsts.go
View file
Open in desktop

This file was deleted.

40 changes: 40 additions & 0 deletions pkg/controller/middleware/secure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package middleware

import (
"context"

"github.com/gorilla/mux"
"github.com/unrolled/secure"
)

// SecureHeaders sets a bunch of default secure headers that our servers should have.
func SecureHeaders(ctx context.Context, devMode bool, serverType string) mux.MiddlewareFunc {
options := secure.Options{
BrowserXssFilter: serverType == "html",
ContentTypeNosniff: true,
FrameDeny: serverType == "html",
HostsProxyHeaders: []string{"X-Forwarded-Host"},
IsDevelopment: devMode,
SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"},
SSLRedirect: !devMode,
STSIncludeSubdomains: true,
STSPreload: true,
STSSeconds: 315360000,
}

return secure.New(options).Handler
}