Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(middleware): configurable Swagger CSP, log CSP nonce errors, drop X-XSS-Protection

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2026-05-06 20:13:56 +02:00
parent d668567dc5
commit 61875201f9
1 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/middleware/security_headers.go
+15 -4
View File
@@ -5,12 +5,21 @@ import (
"crypto/rand" "crypto/rand"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"log"
"net/http" "net/http"
"strings" "strings"
) )
const CSPNonceKey contextKey = "csp_nonce" const CSPNonceKey contextKey = "csp_nonce"
type SecurityHeadersConfig struct {
RelaxSwaggerCSP bool
}
func DefaultSecurityHeadersConfig() SecurityHeadersConfig {
return SecurityHeadersConfig{RelaxSwaggerCSP: true}
}
func GenerateCSPNonce() (string, error) { func GenerateCSPNonce() (string, error) {
nonceBytes := make([]byte, 16) nonceBytes := make([]byte, 16)
if _, err := rand.Read(nonceBytes); err != nil { if _, err := rand.Read(nonceBytes); err != nil {
@@ -27,15 +36,18 @@ func GetCSPNonceFromContext(ctx context.Context) string {
} }
func SecurityHeadersMiddleware() func(http.Handler) http.Handler { func SecurityHeadersMiddleware() func(http.Handler) http.Handler {
return SecurityHeadersMiddlewareWithConfig(DefaultSecurityHeadersConfig())
}
func SecurityHeadersMiddlewareWithConfig(cfg SecurityHeadersConfig) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-XSS-Protection", "1; mode=block")
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin") w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
isSwaggerRoute := strings.HasPrefix(r.URL.Path, "/swagger") isSwaggerRoute := strings.HasPrefix(r.URL.Path, "/swagger")
if isSwaggerRoute { if isSwaggerRoute && cfg.RelaxSwaggerCSP {
csp := "default-src 'self'; " + csp := "default-src 'self'; " +
"script-src 'self' 'unsafe-inline' 'unsafe-eval'; " + "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
"style-src 'self' 'unsafe-inline'; " + "style-src 'self' 'unsafe-inline'; " +
@@ -51,7 +63,7 @@ func SecurityHeadersMiddleware() func(http.Handler) http.Handler {
} else { } else {
nonce, err := GenerateCSPNonce() nonce, err := GenerateCSPNonce()
if err != nil { if err != nil {
log.Printf("middleware security headers: CSP nonce: %v", err)
nonce = "" nonce = ""
} }
@@ -72,7 +84,6 @@ func SecurityHeadersMiddleware() func(http.Handler) http.Handler {
csp = "script-src 'self' 'nonce-" + nonce + "'; " + csp = "script-src 'self' 'nonce-" + nonce + "'; " +
"style-src 'self' 'nonce-" + nonce + "'; " + csp "style-src 'self' 'nonce-" + nonce + "'; " + csp
} else { } else {
csp = "script-src 'self'; " + csp = "script-src 'self'; " +
"style-src 'self'; " + csp "style-src 'self'; " + csp
} }