README
¶
secure 
Package secure provides security utilities, CSP, HPKP, HSTS and other security wins.
Installing
-
Get package:
go get -u github.com/gowww/secure -
Import it in your code:
import "github.com/gowww/secure"
Usage
To wrap an http.Handler, use Handle:
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "Hello")
})
http.ListenAndServe(":8080", secure.Handle(mux, nil))
To wrap an http.HandlerFunc, use HandleFunc:
http.Handle("/", secure.HandleFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "Hello")
}, nil))
http.ListenAndServe(":8080", nil)
To set custom security options, see Options GoDoc reference.
Documentation
¶
Overview ¶
Package secure provides security utilities, CSP, HPKP, HSTS and other security wins.
Example ¶
package main
import (
"fmt"
"net/http"
"github.com/gowww/secure"
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "Hello")
})
http.ListenAndServe(":8080", secure.Handle(mux, &secure.Options{
ForceSSL: true,
EnvDevelopment: true,
}))
}
Output:
Index ¶
Examples ¶
Constants ¶
View Source
const ( FrameDenied = "DENY" // The page cannot be displayed in a frame, regardless of the site attempting to do so. FrameSameOrigin = "SAMEORIGIN" // The page can only be displayed in a frame on the same origin as the page itself. HPKPDefaultMaxAge = 30 * 24 * time.Hour // HPKPDefaultMaxAge provides a default HPKP Max-Age value of 30 days. HSTSDefaultMaxAge = 30 * 24 * time.Hour // HSTSDefaultMaxAge provides a default HSTS Max-Age value of 30 days. ReferrerPolicyNoReferrer = "no-referrer" // No referrer information is to be sent. ReferrerPolicyNoReferrerWhenDowngrade = "no-referrer-when-downgrade" // Send a full URL from a TLS-protected environment settings object to a potentially trustworthy URL, and from clients which are not TLS-protected to any origin. ReferrerPolicySameOrigin = "same-origin" // A full URL, stripped for use as a referrer, is sent when making same-origin requests ReferrerPolicyOrigin = "origin" // Only the ASCII serialization of the origin is sent when making both same-origin and cross-origin requests. ReferrerPolicyStrictOrigin = "strict-origin" // Send the ASCII serialization of the origin from a TLS-protected environment settings object to a potentially trustworthy URL, and from non-TLS-protected environment settings objects to any origin. ReferrerPolicyOriginWhenCrossOrigin = "origin-when-cross-origin" // A full URL, stripped for use as a referrer, is sent when making same-origin requests, and only the ASCII serialization of the origin is sent when making cross-origin requests. ReferrerPolicyStrictOriginWhenCrossOrigin = "strict-origin-when-cross-origin" // A full URL, stripped for use as a referrer, is sent when making same-origin requests, and only the ASCII serialization of the origin when making cross-origin requests from a TLS-protected environment settings object to a potentially trustworthy URL, and from non-TLS-protected environment settings objects to any origin. ReferrerPolicyUnsafeURL = "unsafe-url" // A full URL, stripped for use as a referrer, is sent when making both same-origin and cross-origin requests. XSSProtectionDisabled = "0" // Disables XSS filtering. XSSProtectionEnabled = "1" // Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). XSSProtectionBlock = "1; mode=block" // Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. )
Options and headers directives.
View Source
const HSTSPreloadMinAge = 10886400
HSTSPreloadMinAge is the lowest max age usable with HSTS preload. See https://hstspreload.org.
Variables ¶
This section is empty.
Functions ¶
func FrameAllow ¶
FrameAllow returns a Frame directive.
It allows the page to be displayed in a frame on the specified origin.
func Handle ¶
Handle returns a Handler wrapping another http.Handler.
Example ¶
package main
import (
"fmt"
"net/http"
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "Hello")
})
http.ListenAndServe(":8080", nil)
}
Output:
func HandleFunc ¶
func HandleFunc(f http.HandlerFunc, o *Options) http.Handler
HandleFunc returns a Handler wrapping an http.HandlerFunc.
Example ¶
package main
import (
"fmt"
"net/http"
"github.com/gowww/secure"
)
func main() {
http.Handle("/", secure.HandleFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "Hello")
}, nil))
http.ListenAndServe(":8080", nil)
}
Output:
func XSSProtectionReport ¶
XSSProtectionReport returns an XSSProtection directive.
It Enables XSS filtering (Chromium only). If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.
Types ¶
type HPKPOptions ¶
type HPKPOptions struct {
Keys []string // Keys contains the Base64 encoded Subject Public Key Information (SPKI) fingerprints. This field is required.
MaxAge time.Duration // MaxAge indicates how long the browser should remember that this site is only to be accessed using one of the pinned keys. This field is required.
IncludeSubdomains bool // IncludeSubdomains indicates whether HPKP applies to all of the site's subdomains as well.
ReportURI string // ReportURI is the URL at which validation failures are reported to.
}
HPKPOptions represents HTTP Public Key Pinning options. See RFC 7469 and https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning.
type HSTSOptions ¶
type HSTSOptions struct {
MaxAge time.Duration // MaxAge indicates how long the browser should remember that this site is only to be accessed using HTTPS. This field is required.
IncludeSubdomains bool // IncludeSubdomains indicates whether HSTS applies to all of the site's subdomains as well.
Preload bool // Preload indicates whether the browsers must use a secure connection. It's not a standard. See https://hstspreload.appspot.com.
}
HSTSOptions represents HTTP Strict Transport Security options. See RFC 6797 and https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security.
type Options ¶
type Options struct {
AllowedHosts []string // AllowedHosts indicates which fully qualified domain names are allowed to point to this server. If none are set, all are allowed.
CSP string // CSP contains Content Security Policy. See http://www.w3.org/TR/CSP and https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy.
Frame string // FrameAllowed indicates whether or not a browser should be allowed to render a page in a frame, iframe or object. Default is FrameSameOrigin.
HPKP *HPKPOptions // HPKP contains the HTTP Public Key Pinning options.
HSTS *HSTSOptions // HPKP contains the HTTP Strict Transport Security options.
ReferrerPolicy string // ReferrerPolicy contains Referrer Policy. See https://www.w3.org/TR/referrer-policy.
XSSProtection string // XSSProtection can stop pages from loading when browser detects an XSS attack. Default is XSSProtectionBlock.
ForceSSL bool // ForceSSL indicates whether an insecure request must be redirected to the secure protocol.
EnvDevelopment bool // EnvDevelopment can be used during development to defuse AllowedHosts, HPKP, HSTS and ForceSSL options.
}
Options represents security options.
Source Files
Click to show internal directories.
Click to hide internal directories.