SecurityHeaders sets security headers to the response. It sets the following headers: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy: default-src 'none'; frame-ancestors 'none' - Cache-Control: no-store - Strict-
()
| 165 | // Returns: |
| 166 | // - gin.HandlerFunc: A middleware function that sets security headers to the response. |
| 167 | func SecurityHeaders() gin.HandlerFunc { |
| 168 | return func(c *gin.Context) { |
| 169 | c.Header("X-Content-Type-Options", "nosniff") |
| 170 | c.Header("X-Frame-Options", "DENY") |
| 171 | c.Header("Referrer-Policy", "strict-origin-when-cross-origin") |
| 172 | c.Header("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'") |
| 173 | c.Header("Cache-Control", "no-store") |
| 174 | isTLS := c.Request.TLS != nil |
| 175 | if !isTLS { |
| 176 | xfp := strings.ToLower(c.GetHeader("X-Forwarded-Proto")) |
| 177 | if xfp == "https" { |
| 178 | isTLS = true |
| 179 | } |
| 180 | } |
| 181 | if isTLS { |
| 182 | c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains") |
| 183 | } |
| 184 | |
| 185 | c.Next() |
| 186 | } |
| 187 | } |