MCPcopy
hub / github.com/hatchet-dev/hatchet / Middleware

Function Middleware

api/v1/server/headers/middleware.go:9–56  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

7)
8
9func Middleware() middleware.MiddlewareFunc {
10 return func(r *middleware.RouteInfo) echo.HandlerFunc {
11 return func(c echo.Context) error {
12 // ensure the Strict-Transport-Security header is set for all
13 // endpoints, as it will help ensure protection against TLS protocol downgrade
14 // attacks and cookie hijacking. The header also ensures that browsers only serve
15 // requests using a secure HTTPS connection.
16 c.Response().Header().Set("Strict-Transport-Security", "max-age=776000; includeSubDomains; preload")
17
18 // Adds a layer of defense against a range of content
19 // injection vulnerabilities by allowing the application to inform the client of expected
20 // resource sources. This can be used to prevent scripts from external sources from
21 // being injected into the application.
22 c.Response().Header().Set("Content-Security-Policy", "script-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'")
23
24 // Defines how much information browsers include in the referrer
25 // header when users navigate away from the application, which can prevent
26 // information disclosure.
27 c.Response().Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
28
29 // Helps prevent clickjacking attacks by preventing the application from being framed in undesirable locations.
30 c.Response().Header().Set("X-Frame-Options", "DENY")
31
32 // Used to prevent MIME-sniffing, which is the process in
33 // which browsers attempt to determine the content type and encoding of an HTTP
34 // response if these properties are incorrect or not present within the HTTP headers.
35
36 c.Response().Header().Set("X-Content-Type-Options", "nosniff")
37
38 // allows you to control which origins can use which browser
39 // features, both in the top-level page and in embedded frames. For every feature
40 // controlled by Feature Policy, the feature is only enabled in the current document
41 // or frame if its origin matches the allowed list of origins.
42 c.Response().Header().Set("Permissions-Policy", "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()")
43
44 // The require-corp directive implies that the document can only access resources that are either from the same origin or have been specifically granted permission otherwise.
45
46 c.Response().Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
47
48 // Cross-Origin-Opener-Policy prevents a document from being opened in a browsing context that has a different opener than its own. This helps prevent attacks where a document is opened in a new tab or window and is able to navigate the opening document to a malicious URL.
49 c.Response().Header().Set("Cross-Origin-Opener-Policy", "same-origin")
50
51 // Only requests from the same origin (i.e. scheme + host + port) can read the resource.
52 c.Response().Header().Set("Cross-Origin-Resource-Policy", "same-origin")
53 return nil
54 }
55 }
56}

Callers 1

registerSpecMethod · 0.92

Calls 2

SetMethod · 0.65
HeaderMethod · 0.45

Tested by

no test coverage detected