MCPcopy
hub / github.com/labstack/echo / SecureConfig

Struct SecureConfig

middleware/secure.go:13–76  ·  view source on GitHub ↗

SecureConfig defines the config for Secure middleware.

Source from the content-addressed store, hash-verified

11
12// SecureConfig defines the config for Secure middleware.
13type SecureConfig struct {
14 // Skipper defines a function to skip middleware.
15 Skipper Skipper
16
17 // XSSProtection provides protection against cross-site scripting attack (XSS)
18 // by setting the `X-XSS-Protection` header.
19 // Optional. Default value "1; mode=block".
20 XSSProtection string
21
22 // ContentTypeNosniff provides protection against overriding Content-Type
23 // header by setting the `X-Content-Type-Options` header.
24 // Optional. Default value "nosniff".
25 ContentTypeNosniff string
26
27 // XFrameOptions can be used to indicate whether or not a browser should
28 // be allowed to render a page in a <frame>, <iframe> or <object> .
29 // Sites can use this to avoid clickjacking attacks, by ensuring that their
30 // content is not embedded into other sites.provides protection against
31 // clickjacking.
32 // Optional. Default value "SAMEORIGIN".
33 // Possible values:
34 // - "SAMEORIGIN" - The page can only be displayed in a frame on the same origin as the page itself.
35 // - "DENY" - The page cannot be displayed in a frame, regardless of the site attempting to do so.
36 // - "ALLOW-FROM uri" - The page can only be displayed in a frame on the specified origin.
37 XFrameOptions string
38
39 // HSTSMaxAge sets the `Strict-Transport-Security` header to indicate how
40 // long (in seconds) browsers should remember that this site is only to
41 // be accessed using HTTPS. This reduces your exposure to some SSL-stripping
42 // man-in-the-middle (MITM) attacks.
43 // Optional. Default value 0.
44 HSTSMaxAge int
45
46 // HSTSExcludeSubdomains won't include subdomains tag in the `Strict Transport Security`
47 // header, excluding all subdomains from security policy. It has no effect
48 // unless HSTSMaxAge is set to a non-zero value.
49 // Optional. Default value false.
50 HSTSExcludeSubdomains bool
51
52 // ContentSecurityPolicy sets the `Content-Security-Policy` header providing
53 // security against cross-site scripting (XSS), clickjacking and other code
54 // injection attacks resulting from execution of malicious content in the
55 // trusted web page context.
56 // Optional. Default value "".
57 ContentSecurityPolicy string
58
59 // CSPReportOnly would use the `Content-Security-Policy-Report-Only` header instead
60 // of the `Content-Security-Policy` header. This allows iterative updates of the
61 // content security policy by only reporting the violations that would
62 // have occurred instead of blocking the resource.
63 // Optional. Default value false.
64 CSPReportOnly bool
65
66 // HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security`
67 // header, which enables the domain to be included in the HSTS preload list
68 // maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
69 // Optional. Default value false.
70 HSTSPreloadEnabled bool

Callers

nothing calls this directly

Calls

no outgoing calls

Tested by

no test coverage detected