()
| 7 | ) |
| 8 | |
| 9 | func Middleware() middleware.MiddlewareFunc { |
| 10 | return func(r *middleware.RouteInfo) echo.HandlerFunc { |
| 11 | return func(c echo.Context) error { |
| 12 | // ensure the Strict-Transport-Security header is set for all |
| 13 | // endpoints, as it will help ensure protection against TLS protocol downgrade |
| 14 | // attacks and cookie hijacking. The header also ensures that browsers only serve |
| 15 | // requests using a secure HTTPS connection. |
| 16 | c.Response().Header().Set("Strict-Transport-Security", "max-age=776000; includeSubDomains; preload") |
| 17 | |
| 18 | // Adds a layer of defense against a range of content |
| 19 | // injection vulnerabilities by allowing the application to inform the client of expected |
| 20 | // resource sources. This can be used to prevent scripts from external sources from |
| 21 | // being injected into the application. |
| 22 | c.Response().Header().Set("Content-Security-Policy", "script-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'") |
| 23 | |
| 24 | // Defines how much information browsers include in the referrer |
| 25 | // header when users navigate away from the application, which can prevent |
| 26 | // information disclosure. |
| 27 | c.Response().Header().Set("Referrer-Policy", "strict-origin-when-cross-origin") |
| 28 | |
| 29 | // Helps prevent clickjacking attacks by preventing the application from being framed in undesirable locations. |
| 30 | c.Response().Header().Set("X-Frame-Options", "DENY") |
| 31 | |
| 32 | // Used to prevent MIME-sniffing, which is the process in |
| 33 | // which browsers attempt to determine the content type and encoding of an HTTP |
| 34 | // response if these properties are incorrect or not present within the HTTP headers. |
| 35 | |
| 36 | c.Response().Header().Set("X-Content-Type-Options", "nosniff") |
| 37 | |
| 38 | // allows you to control which origins can use which browser |
| 39 | // features, both in the top-level page and in embedded frames. For every feature |
| 40 | // controlled by Feature Policy, the feature is only enabled in the current document |
| 41 | // or frame if its origin matches the allowed list of origins. |
| 42 | c.Response().Header().Set("Permissions-Policy", "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()") |
| 43 | |
| 44 | // The require-corp directive implies that the document can only access resources that are either from the same origin or have been specifically granted permission otherwise. |
| 45 | |
| 46 | c.Response().Header().Set("Cross-Origin-Embedder-Policy", "require-corp") |
| 47 | |
| 48 | // Cross-Origin-Opener-Policy prevents a document from being opened in a browsing context that has a different opener than its own. This helps prevent attacks where a document is opened in a new tab or window and is able to navigate the opening document to a malicious URL. |
| 49 | c.Response().Header().Set("Cross-Origin-Opener-Policy", "same-origin") |
| 50 | |
| 51 | // Only requests from the same origin (i.e. scheme + host + port) can read the resource. |
| 52 | c.Response().Header().Set("Cross-Origin-Resource-Policy", "same-origin") |
| 53 | return nil |
| 54 | } |
| 55 | } |
| 56 | } |
no test coverage detected