go/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2025-04-13 11:50:32 +02:00
Code Issues Releases Activity

Security: Add restrictive HTTP Content-Security-Policy

Browse Source
This commit is contained in:
Ralph Slooten 2022-09-15 21:23:27 +12:00
parent d29a7d6218
commit 51e458ad57
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server/server.go
View File

@ -21,6 +21,8 @@ import (
//go:embed ui //go:embed ui
var embeddedFS embed.FS var embeddedFS embed.FS
var contentSecurityPolicy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src 'self' data:; media-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'self';"
// Listen will start the httpd // Listen will start the httpd
func Listen() { func Listen() {
serverRoot, err := fs.Sub(embeddedFS, "ui") serverRoot, err := fs.Sub(embeddedFS, "ui")
@ -85,6 +87,9 @@ func (w gzipResponseWriter) Write(b []byte) (int, error) {
// and gzip compression. // and gzip compression.
func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc { func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
if config.UIAuthFile != "" { if config.UIAuthFile != "" {
user, pass, ok := r.BasicAuth() user, pass, ok := r.BasicAuth()
@ -115,6 +120,8 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
// and gzip compression // and gzip compression
func middlewareHandler(h http.Handler) http.Handler { func middlewareHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
if config.UIAuthFile != "" { if config.UIAuthFile != "" {
user, pass, ok := r.BasicAuth() user, pass, ok := r.BasicAuth()
@ -143,6 +150,8 @@ func middlewareHandler(h http.Handler) http.Handler {
// FourOFour returns a basic 404 message // FourOFour returns a basic 404 message
func fourOFour(w http.ResponseWriter) { func fourOFour(w http.ResponseWriter) {
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
w.WriteHeader(http.StatusNotFound) w.WriteHeader(http.StatusNotFound)
w.Header().Set("Content-Type", "text/plain") w.Header().Set("Content-Type", "text/plain")
fmt.Fprint(w, "404 page not found") fmt.Fprint(w, "404 page not found")
@ -150,6 +159,8 @@ func fourOFour(w http.ResponseWriter) {
// HTTPError returns a basic error message (400 response) // HTTPError returns a basic error message (400 response)
func httpError(w http.ResponseWriter, msg string) { func httpError(w http.ResponseWriter, msg string) {
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
w.Header().Set("Content-Type", "text/plain") w.Header().Set("Content-Type", "text/plain")
fmt.Fprint(w, msg) fmt.Fprint(w, msg)