Documentation ¶
Overview ¶
Package secure is a handler for the core (https://godoc.org/github.com/volatile/core). It provides quick security wins.
Usage ¶
Use adds the handler to the default handlers stack:
secure.Use(nil)
Make sure to include the handler above any other handler that alter the response body.
See Options reference for custom settings.
Index ¶
Constants ¶
View Source
const ( // HPKPDefaultMaxAge provides a default HPKP Max-Age value of 30 days. HPKPDefaultMaxAge = 30 * 24 * time.Hour // HSTSDefaultMaxAge provides a default HSTS Max-Age value of 30 days. HSTSDefaultMaxAge = 30 * 24 * time.Hour // HSTSPreloadMinAge is the lowest max age usable with HSTS preload. See https://hstspreload.appspot.com. HSTSPreloadMinAge = 10886400 )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type HPKPOptions ¶
type HPKPOptions struct { Keys []string // Keys contains the Base64 encoded Subject Public Key Information (SPKI) fingerprints. This field is required. MaxAge time.Duration // MaxAge indicates how long the browser should remember that this site is only to be accessed using one of the pinned keys. This field is required. IncludeSubdomains bool // IncludeSubdomains indicates whether HPKP applies to all of the site's subdomains as well. ReportURI string // ReportURI is the URL at which validation failures are reported to. }
HPKPOptions represents HTTP Public Key Pinning options. See RFC 7469 and https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning.
type HSTSOptions ¶
type HSTSOptions struct { MaxAge time.Duration // MaxAge indicates how long the browser should remember that this site is only to be accessed using HTTPS. This field is required. IncludeSubdomains bool // IncludeSubdomains indicates whether HSTS applies to all of the site's subdomains as well. Preload bool // Preload indicates whether the browsers must use a secure connection. It's not a standard. See https://hstspreload.appspot.com. }
HSTSOptions represents HTTP Strict Transport Security options. See RFC 6797 and https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security.
type Options ¶
type Options struct { AllowedHosts []string // AllowedHosts indicates which fully qualified domain names are allowed to point to this server. If none are set, all are allowed. CSP string // CSP contains Content Security Policy for responses. See http://www.w3.org/TR/CSP/ and https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy. FrameAllowed bool // FrameAllowed indicates whether the browsers can display the response in a frame, regardless of the site attempting to do so. HPKP *HPKPOptions // HPKP contains the HTTP Public Key Pinning options. HSTS *HSTSOptions // HPKP contains the HTTP Strict Transport Security options. SSLForced bool // SSLForced indicates whether an insecure request must be redirected to the secure protocol. }
Options represents security options.
Click to show internal directories.
Click to hide internal directories.