Mercurial > gemma
changeset 4829:f4ec3558460e
Set some nosniff http headers.
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Wed, 06 Nov 2019 18:00:50 +0100 |
parents | 39ee00d06309 |
children | 125cac3c977d |
files | cmd/gemma/main.go pkg/controllers/proxy.go pkg/middleware/jsonhandler.go |
diffstat | 3 files changed, 14 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/cmd/gemma/main.go Tue Nov 05 14:31:22 2019 +0100 +++ b/cmd/gemma/main.go Wed Nov 06 18:00:50 2019 +0100 @@ -67,7 +67,15 @@ m := mux.NewRouter() controllers.BindRoutes(m) - m.PathPrefix("/").Handler(http.FileServer(http.Dir(web))) + dir := http.FileServer(http.Dir(web)) + + xframes := http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) { + res.Header().Set("X-Frame-Options", "sameorigin") + res.Header().Set("X-Content-Type-Options", "nosniff") + dir.ServeHTTP(res, req) + }) + + m.PathPrefix("/").Handler(xframes) addr := fmt.Sprintf("%s:%d", config.WebHost(), config.WebPort()) log.Printf("info: listen on %s\n", addr)
--- a/pkg/controllers/proxy.go Tue Nov 05 14:31:22 2019 +0100 +++ b/pkg/controllers/proxy.go Wed Nov 06 18:00:50 2019 +0100 @@ -153,6 +153,8 @@ return func(resp *http.Response) error { + resp.Header.Set("X-Content-Type-Options", "nosniff") + if !isXML(resp.Header) { return nil }
--- a/pkg/middleware/jsonhandler.go Tue Nov 05 14:31:22 2019 +0100 +++ b/pkg/middleware/jsonhandler.go Wed Nov 06 18:00:50 2019 +0100 @@ -183,6 +183,8 @@ if jr.Code != http.StatusNoContent { rw.Header().Set("Content-Type", "application/json") } + rw.Header().Set("X-Content-Type-Options", "nosniff") + rw.WriteHeader(jr.Code) if jr.Code != http.StatusNoContent { var err error @@ -201,6 +203,7 @@ // with a given HTTP status code. func SendJSON(rw http.ResponseWriter, code int, data interface{}) { rw.Header().Set("Content-Type", "application/json") + rw.Header().Set("X-Content-Type-Options", "nosniff") rw.WriteHeader(code) if err := json.NewEncoder(rw).Encode(data); err != nil { log.Printf("error: %v\n", err)