Add ReferrerPolicy to Secure middleware (#1363)

2024-11-24 08:22:21 +02:00 · 2019-08-02 00:27:09 +02:00 · 2019-08-02 00:27:09 +02:00 · 87da9a948b
commit 87da9a948b
parent 8cabd1e123
3 changed files with 14 additions and 0 deletions
--- a/echo.go
+++ b/echo.go
@ -222,6 +222,7 @@ const (
 	HeaderContentSecurityPolicy           = "Content-Security-Policy"
 	HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
 	HeaderXCSRFToken                      = "X-CSRF-Token"
+	HeaderReferrerPolicy                  = "Referrer-Policy"
 )

 const (
--- a/middleware/secure.go
+++ b/middleware/secure.go
@ -66,6 +66,11 @@ type (
 		// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
 		// Optional.  Default value false.
 		HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
+
+		// ReferrerPolicy sets the `Referrer-Policy` header providing security against
+		// leaking potentially sensitive request paths to third parties.
+		// Optional. Default value "".
+		ReferrerPolicy string `yaml:"referrer_policy"`
 	}
 )

@ -131,6 +136,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
 					res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
 				}
 			}
+			if config.ReferrerPolicy != "" {
+				res.Header().Set(echo.HeaderReferrerPolicy, config.ReferrerPolicy)
+			}
 			return next(c)
 		}
 	}
--- a/middleware/secure_test.go
+++ b/middleware/secure_test.go
@ -25,6 +25,7 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))

 	// Custom
 	req.Header.Set(echo.HeaderXForwardedProto, "https")
@ -36,6 +37,7 @@ func TestSecure(t *testing.T) {
 		XFrameOptions:         "",
 		HSTSMaxAge:            3600,
 		ContentSecurityPolicy: "default-src 'self'",
+		ReferrerPolicy:        "origin",
 	})(h)(c)
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
@ -43,6 +45,7 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
+	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))

 	// Custom with CSPReportOnly flag
 	req.Header.Set(echo.HeaderXForwardedProto, "https")
@ -55,6 +58,7 @@ func TestSecure(t *testing.T) {
 		HSTSMaxAge:            3600,
 		ContentSecurityPolicy: "default-src 'self'",
 		CSPReportOnly:         true,
+		ReferrerPolicy:        "origin",
 	})(h)(c)
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
@ -62,6 +66,7 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))

 	// Custom, with preload option enabled
 	req.Header.Set(echo.HeaderXForwardedProto, "https")