secure

package

v0.24.0 Latest Latest Go to latest Published: Jan 13, 2017 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/quan-xie/gear

Links

Open Source Insights

Documentation ¶

Index ¶

func ContentSecurityPolicy(directives CSPDirectives) gear.Middleware
func DNSPrefetchControl(allow bool) gear.Middleware
func Default() gear.Middleware
func FrameGuard(action FrameGuardAction, domains ...string) gear.Middleware
func HidePoweredBy() gear.Middleware
func IENoOpen() gear.Middleware
func NoSniff() gear.Middleware
func PublicKeyPinning(options PublicKeyPinningOptions) gear.Middleware
func SetReferrerPolicy(policy ReferrerPolicy) gear.Middleware
func StrictTransportSecurity(options StrictTransportSecurityOptions) gear.Middleware
func XSSFilter() gear.Middleware
type CSPDirectives
type FrameGuardAction
type PublicKeyPinningOptions
type ReferrerPolicy
type StrictTransportSecurityOptions

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ContentSecurityPolicy ¶

func ContentSecurityPolicy(directives CSPDirectives) gear.Middleware

ContentSecurityPolicy (CSP) sets the Content-Security-Policy header which can help protect against malicious injection of JavaScript, CSS, plugins, and more. See https://content-security-policy.com .

func DNSPrefetchControl ¶

func DNSPrefetchControl(allow bool) gear.Middleware

DNSPrefetchControl controls browser DNS prefetching. And for potential privacy implications, it should be disabled. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching .

func Default ¶

func Default() gear.Middleware

Default provides protection for your Gear app by setting various HTTP headers. It equals:

app.Use(DNSPrefetchControl(false)) app.Use(HidePoweredBy()) app.Use(IENoOpen()) app.Use(NoSniff()) app.Use(XSSFilter()) app.Use(FrameGuard(FrameGuardActionSameOrigin))

app.Use(StrictTransportSecurity(StrictTransportSecurityOptions{
	MaxAge:            180 * 24 * time.Hour,
	IncludeSubDomains: true,
}))

func FrameGuard ¶

func FrameGuard(action FrameGuardAction, domains ...string) gear.Middleware

FrameGuard mitigates clickjacking attacks by setting the X-Frame-Options header. Because ALLOW-FROM option only allow one domain, so when action is FrameGuardActionAllowFrom, you should only give one domain at the second parameter, and others will be ignored. See https://en.wikipedia.org/wiki/Clickjacking and https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options .

func HidePoweredBy ¶

func HidePoweredBy() gear.Middleware

HidePoweredBy removes the X-Powered-By header to make it slightly harder for attackers to see what potentially-vulnerable technology powers your site.

func IENoOpen ¶

func IENoOpen() gear.Middleware

IENoOpen sets the X-Download-Options to prevent Internet Explorer from executing downloads in your site’s context. See https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ .

func NoSniff ¶

func NoSniff() gear.Middleware

NoSniff helps prevent browsers from trying to guess (“sniff”) the MIME type, which can have security implications. It does this by setting the X-Content-Type-Options header to nosniff. See https://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ .

func PublicKeyPinning ¶

func PublicKeyPinning(options PublicKeyPinningOptions) gear.Middleware

PublicKeyPinning helps you set the Public-Key-Pins header to prevent person-in-the-middle attacks. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning .

func SetReferrerPolicy ¶

func SetReferrerPolicy(policy ReferrerPolicy) gear.Middleware

SetReferrerPolicy controls the behavior of the Referer header by setting the Referrer-Policy header. See https://www.w3.org/TR/referrer-policy/#referrer-policy-header .

func StrictTransportSecurity ¶

func StrictTransportSecurity(options StrictTransportSecurityOptions) gear.Middleware

StrictTransportSecurity sets the Strict-Transport-Security header to keep your users on HTTPS. See https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security .

func XSSFilter ¶

func XSSFilter() gear.Middleware

XSSFilter sets the X-XSS-Protection header to "1; mode=block" to prevent reflected XSS attacks. Because on old versions of IE (<9), this will cause some even worse security vulnerabilities, so it will set the header to "0" for old IE. See https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ .

Types ¶

type CSPDirectives ¶

type CSPDirectives struct {
	DefaultSrc     []string `csp:"default-src"`
	ScriptSrc      []string `csp:"script-src"`
	StyleSrc       []string `csp:"style-src"`
	ImgSrc         []string `csp:"img-src"`
	ConnectSrc     []string `csp:"connect-src"`
	FontSrc        []string `csp:"font-src"`
	ObjectSrc      []string `csp:"object-src"`
	MediaSrc       []string `csp:"media-src"`
	FrameSrc       []string `csp:"frame-src"`
	ChildSrc       []string `csp:"child-src"`
	Sandbox        []string `csp:"sandbox"`
	FormAction     []string `csp:"form-action"`
	FrameAncestors []string `csp:"frame-ancestors"`
	PluginTypes    []string `csp:"plugin-types"`
	ReportURI      string   `csp:"report-uri"`
	ReportOnly     bool
}

CSPDirectives represents all valid directives that the "Content-Security-Policy" header is made up of.

type FrameGuardAction ¶

type FrameGuardAction string

FrameGuardAction represents a possible option of the "X-Frame-Options" header.

const (
	FrameGuardActionDeny       FrameGuardAction = "DENY"
	FrameGuardActionSameOrigin FrameGuardAction = "SAMEORIGIN"
	FrameGuardActionAllowFrom  FrameGuardAction = "ALLOW-FROM"
)

"X-Frame-Options" header options.

type PublicKeyPinningOptions ¶

type PublicKeyPinningOptions struct {
	MaxAge            time.Duration
	Sha256s           []string
	ReportURI         string
	IncludeSubdomains bool
	ReportOnly        bool
}

PublicKeyPinningOptions is public key pinning middleware options.

type ReferrerPolicy ¶

type ReferrerPolicy string

ReferrerPolicy represents a possible policy of the "Referrer-Policy" header.

const (
	ReferrerPolicyNoReferrer                  ReferrerPolicy = "no-referrer"
	ReferrerPolicyWhenDowngrade               ReferrerPolicy = "no-referrer-when-downgrade"
	ReferrerPolicyStrictOrigin                ReferrerPolicy = "strict-origin"
	ReferrerPolicyStrictOriginWhenCrossOrigin ReferrerPolicy = "strict-origin-when-cross-origin"
	ReferrerPolicySameOrigin                  ReferrerPolicy = "same-origin"
	ReferrerPolicyOrigin                      ReferrerPolicy = "origin"
	ReferrerPolicyOriginWhenCrossOrigin       ReferrerPolicy = "origin-when-cross-origin"
	ReferrerPolicyUnsafeURL                   ReferrerPolicy = "unsafe-url"
)

Possible referrer policies.

type StrictTransportSecurityOptions ¶

type StrictTransportSecurityOptions struct {
	MaxAge            time.Duration
	IncludeSubDomains bool
	Preload           bool
}

StrictTransportSecurityOptions is the StrictTransportSecurity middleware options.

Source Files ¶

View all Source files

secure.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL