mirror of
https://github.com/labstack/echo.git
synced 2024-12-24 20:14:31 +02:00
Add ReferrerPolicy to Secure middleware (#1363)
This commit is contained in:
parent
8cabd1e123
commit
87da9a948b
1
echo.go
1
echo.go
@ -222,6 +222,7 @@ const (
|
||||
HeaderContentSecurityPolicy = "Content-Security-Policy"
|
||||
HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
|
||||
HeaderXCSRFToken = "X-CSRF-Token"
|
||||
HeaderReferrerPolicy = "Referrer-Policy"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -66,6 +66,11 @@ type (
|
||||
// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
|
||||
// Optional. Default value false.
|
||||
HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
|
||||
|
||||
// ReferrerPolicy sets the `Referrer-Policy` header providing security against
|
||||
// leaking potentially sensitive request paths to third parties.
|
||||
// Optional. Default value "".
|
||||
ReferrerPolicy string `yaml:"referrer_policy"`
|
||||
}
|
||||
)
|
||||
|
||||
@ -131,6 +136,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
|
||||
res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
|
||||
}
|
||||
}
|
||||
if config.ReferrerPolicy != "" {
|
||||
res.Header().Set(echo.HeaderReferrerPolicy, config.ReferrerPolicy)
|
||||
}
|
||||
return next(c)
|
||||
}
|
||||
}
|
||||
|
@ -25,6 +25,7 @@ func TestSecure(t *testing.T) {
|
||||
assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))
|
||||
|
||||
// Custom
|
||||
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
||||
@ -36,6 +37,7 @@ func TestSecure(t *testing.T) {
|
||||
XFrameOptions: "",
|
||||
HSTSMaxAge: 3600,
|
||||
ContentSecurityPolicy: "default-src 'self'",
|
||||
ReferrerPolicy: "origin",
|
||||
})(h)(c)
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
|
||||
@ -43,6 +45,7 @@ func TestSecure(t *testing.T) {
|
||||
assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
||||
assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
|
||||
assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
|
||||
|
||||
// Custom with CSPReportOnly flag
|
||||
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
||||
@ -55,6 +58,7 @@ func TestSecure(t *testing.T) {
|
||||
HSTSMaxAge: 3600,
|
||||
ContentSecurityPolicy: "default-src 'self'",
|
||||
CSPReportOnly: true,
|
||||
ReferrerPolicy: "origin",
|
||||
})(h)(c)
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
|
||||
@ -62,6 +66,7 @@ func TestSecure(t *testing.T) {
|
||||
assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
||||
assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
||||
assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
|
||||
|
||||
// Custom, with preload option enabled
|
||||
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
||||
|
Loading…
Reference in New Issue
Block a user