mirror of
https://github.com/labstack/echo.git
synced 2024-12-24 20:14:31 +02:00
feat(secure): support Content-Security-Policy-Report-Only header (#1287)
Closes #1283
This commit is contained in:
parent
17b5044459
commit
802fb5bba6
1
echo.go
1
echo.go
@ -217,6 +217,7 @@ const (
|
||||
HeaderXXSSProtection = "X-XSS-Protection"
|
||||
HeaderXFrameOptions = "X-Frame-Options"
|
||||
HeaderContentSecurityPolicy = "Content-Security-Policy"
|
||||
HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
|
||||
HeaderXCSRFToken = "X-CSRF-Token"
|
||||
)
|
||||
|
||||
|
@ -53,6 +53,13 @@ type (
|
||||
// trusted web page context.
|
||||
// Optional. Default value "".
|
||||
ContentSecurityPolicy string `yaml:"content_security_policy"`
|
||||
|
||||
// CSPReportOnly would use the `Content-Security-Policy-Report-Only` header instead
|
||||
// of the `Content-Security-Policy` header. This allows iterative updates of the
|
||||
// content security policy by only reporting the violations that would
|
||||
// have occurred instead of blocking the resource.
|
||||
// Optional. Default value false.
|
||||
CSPReportOnly bool `yaml:"csp_report_only"`
|
||||
}
|
||||
)
|
||||
|
||||
@ -108,8 +115,12 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
|
||||
res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))
|
||||
}
|
||||
if config.ContentSecurityPolicy != "" {
|
||||
if config.CSPReportOnly {
|
||||
res.Header().Set(echo.HeaderContentSecurityPolicyReportOnly, config.ContentSecurityPolicy)
|
||||
} else {
|
||||
res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
|
||||
}
|
||||
}
|
||||
return next(c)
|
||||
}
|
||||
}
|
||||
|
@ -42,4 +42,24 @@ func TestSecure(t *testing.T) {
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
|
||||
assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
||||
assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
|
||||
|
||||
// Custom with CSPReportOnly flag
|
||||
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
||||
rec = httptest.NewRecorder()
|
||||
c = e.NewContext(req, rec)
|
||||
SecureWithConfig(SecureConfig{
|
||||
XSSProtection: "",
|
||||
ContentTypeNosniff: "",
|
||||
XFrameOptions: "",
|
||||
HSTSMaxAge: 3600,
|
||||
ContentSecurityPolicy: "default-src 'self'",
|
||||
CSPReportOnly: true,
|
||||
})(h)(c)
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
|
||||
assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
||||
assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user