Documentation ¶
Overview ¶
Package secure provides security utilities, CSP, HPKP, HSTS and other security wins.
Example ¶
package main import ( "fmt" "net/http" "github.com/gowww/secure" ) func main() { mux := http.NewServeMux() mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, "Hello") }) http.ListenAndServe(":8080", secure.Handle(mux, &secure.Options{ ForceSSL: true, EnvDevelopment: true, })) }
Output:
Index ¶
Examples ¶
Constants ¶
const ( FrameDenied = "DENY" // The page cannot be displayed in a frame, regardless of the site attempting to do so. FrameSameOrigin = "SAMEORIGIN" // The page can only be displayed in a frame on the same origin as the page itself. HPKPDefaultMaxAge = 30 * 24 * time.Hour // HPKPDefaultMaxAge provides a default HPKP Max-Age value of 30 days. HSTSDefaultMaxAge = 30 * 24 * time.Hour // HSTSDefaultMaxAge provides a default HSTS Max-Age value of 30 days. ReferrerPolicyNoReferrer = "no-referrer" // No referrer information is to be sent. ReferrerPolicyNoReferrerWhenDowngrade = "no-referrer-when-downgrade" // Send a full URL from a TLS-protected environment settings object to a potentially trustworthy URL, and from clients which are not TLS-protected to any origin. ReferrerPolicySameOrigin = "same-origin" // A full URL, stripped for use as a referrer, is sent when making same-origin requests ReferrerPolicyOrigin = "origin" // Only the ASCII serialization of the origin is sent when making both same-origin and cross-origin requests. ReferrerPolicyStrictOrigin = "strict-origin" // Send the ASCII serialization of the origin from a TLS-protected environment settings object to a potentially trustworthy URL, and from non-TLS-protected environment settings objects to any origin. ReferrerPolicyOriginWhenCrossOrigin = "origin-when-cross-origin" // A full URL, stripped for use as a referrer, is sent when making same-origin requests, and only the ASCII serialization of the origin is sent when making cross-origin requests. ReferrerPolicyStrictOriginWhenCrossOrigin = "strict-origin-when-cross-origin" // A full URL, stripped for use as a referrer, is sent when making same-origin requests, and only the ASCII serialization of the origin when making cross-origin requests from a TLS-protected environment settings object to a potentially trustworthy URL, and from non-TLS-protected environment settings objects to any origin. ReferrerPolicyUnsafeURL = "unsafe-url" // A full URL, stripped for use as a referrer, is sent when making both same-origin and cross-origin requests. XSSProtectionDisabled = "0" // Disables XSS filtering. XSSProtectionEnabled = "1" // Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). XSSProtectionBlock = "1; mode=block" // Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. )
Options and headers directives.
const HSTSPreloadMinAge = 10886400
HSTSPreloadMinAge is the lowest max age usable with HSTS preload. See https://hstspreload.org.
Variables ¶
This section is empty.
Functions ¶
func FrameAllow ¶
FrameAllow returns a Frame directive.
It allows the page to be displayed in a frame on the specified origin.
func Handle ¶
Handle returns a Handler wrapping another http.Handler.
Example ¶
package main import ( "fmt" "net/http" ) func main() { mux := http.NewServeMux() mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, "Hello") }) http.ListenAndServe(":8080", nil) }
Output:
func HandleFunc ¶
func HandleFunc(f http.HandlerFunc, o *Options) http.Handler
HandleFunc returns a Handler wrapping an http.HandlerFunc.
Example ¶
package main import ( "fmt" "net/http" "github.com/gowww/secure" ) func main() { http.Handle("/", secure.HandleFunc(func(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, "Hello") }, nil)) http.ListenAndServe(":8080", nil) }
Output:
func XSSProtectionReport ¶
XSSProtectionReport returns an XSSProtection directive.
It Enables XSS filtering (Chromium only). If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.
Types ¶
type HPKPOptions ¶
type HPKPOptions struct { Keys []string // Keys contains the Base64 encoded Subject Public Key Information (SPKI) fingerprints. This field is required. MaxAge time.Duration // MaxAge indicates how long the browser should remember that this site is only to be accessed using one of the pinned keys. This field is required. IncludeSubdomains bool // IncludeSubdomains indicates whether HPKP applies to all of the site's subdomains as well. ReportURI string // ReportURI is the URL at which validation failures are reported to. }
HPKPOptions represents HTTP Public Key Pinning options. See RFC 7469 and https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning.
type HSTSOptions ¶
type HSTSOptions struct { MaxAge time.Duration // MaxAge indicates how long the browser should remember that this site is only to be accessed using HTTPS. This field is required. IncludeSubdomains bool // IncludeSubdomains indicates whether HSTS applies to all of the site's subdomains as well. Preload bool // Preload indicates whether the browsers must use a secure connection. It's not a standard. See https://hstspreload.appspot.com. }
HSTSOptions represents HTTP Strict Transport Security options. See RFC 6797 and https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security.
type Options ¶
type Options struct { AllowedHosts []string // AllowedHosts indicates which fully qualified domain names are allowed to point to this server. If none are set, all are allowed. CSP string // CSP contains Content Security Policy. See http://www.w3.org/TR/CSP and https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy. Frame string // FrameAllowed indicates whether or not a browser should be allowed to render a page in a frame, iframe or object. Default is FrameSameOrigin. HPKP *HPKPOptions // HPKP contains the HTTP Public Key Pinning options. HSTS *HSTSOptions // HPKP contains the HTTP Strict Transport Security options. ReferrerPolicy string // ReferrerPolicy contains Referrer Policy. See https://www.w3.org/TR/referrer-policy. XSSProtection string // XSSProtection can stop pages from loading when browser detects an XSS attack. Default is XSSProtectionBlock. ForceSSL bool // ForceSSL indicates whether an insecure request must be redirected to the secure protocol. EnvDevelopment bool // EnvDevelopment can be used during development to defuse AllowedHosts, HPKP, HSTS and ForceSSL options. }
Options represents security options.