authelia/internal/middlewares/headers.go
James Elliott 0855ea2f71
fix(server): missing cache and xss headers (#3289)
Addresses documentation and a couple of headers which were missed.
2022-05-04 14:47:23 +10:00

38 lines
1.4 KiB
Go

package middlewares
import (
"github.com/valyala/fasthttp"
)
// SecurityHeaders middleware adds several modern recommended security headers with safe values.
func SecurityHeaders(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
ctx.Response.Header.SetBytesKV(headerXContentTypeOptions, headerValueNoSniff)
ctx.Response.Header.SetBytesKV(headerReferrerPolicy, headerValueStrictOriginCrossOrigin)
ctx.Response.Header.SetBytesKV(headerPermissionsPolicy, headerValueCohort)
ctx.Response.Header.SetBytesKV(headerXFrameOptions, headerValueSameOrigin)
ctx.Response.Header.SetBytesKV(headerXXSSProtection, headerValueXSSModeBlock)
next(ctx)
}
}
// SecurityHeadersCSPNone middleware adds the Content-Security-Policy header with the value "default-src 'none';".
func SecurityHeadersCSPNone(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, headerValueCSPNone)
next(ctx)
}
}
// SecurityHeadersNoStore middleware adds the Pragma no-cache and Cache-Control no-store headers.
func SecurityHeadersNoStore(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
ctx.Response.Header.SetBytesKV(headerPragma, headerValueNoCache)
ctx.Response.Header.SetBytesKV(headerCacheControl, headerValueNoStore)
next(ctx)
}
}