Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add ability to specify CSP, Content-Security-Policy #445

Open
komuw opened this issue May 24, 2024 · 3 comments
Open

add ability to specify CSP, Content-Security-Policy #445

komuw opened this issue May 24, 2024 · 3 comments

Comments

@komuw
Copy link
Owner

komuw commented May 24, 2024

nonce := id.Random(cspBytesTokenLength)
r = r.WithContext(context.WithValue(ctx, cspCtxKey, nonce))
w.Header().Set(
cspHeader,
// - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
// - https://web.dev/security-headers/
// - https://stackoverflow.com/a/66955464/2768067
// - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
// - https://web.dev/security-headers/#tt
// - https://securityheaders.com/
//
// content is only permitted from:
// - the document's origin(and subdomains)
// - images may load from anywhere
// - media is allowed from domain(and its subdomains)
// - executable scripts is only allowed from self(& subdomains).
// - DOM xss(eg setting innerHtml) is blocked by require-trusted-types.
getCsp(domain, nonce),
)

@komuw
Copy link
Owner Author

komuw commented Jun 18, 2024

ong/middleware/csp.go

Lines 70 to 74 in f2c39ac

// - media is allowed from domain(and its subdomains)
// - executable scripts is only allowed from self(& subdomains).
// - DOM xss(eg setting innerHtml) is blocked by require-trusted-types.
getCsp(domain, nonce),
)

@komuw
Copy link
Owner Author

komuw commented Jun 18, 2024

If we do this, maybe we should also be able to configure the headers;

ong/middleware/csp.go

Lines 70 to 109 in f2c39ac

// - media is allowed from domain(and its subdomains)
// - executable scripts is only allowed from self(& subdomains).
// - DOM xss(eg setting innerHtml) is blocked by require-trusted-types.
getCsp(domain, nonce),
)
w.Header().Set(
xContentOptionsHeader,
"nosniff",
)
w.Header().Set(
xFrameHeader,
"DENY",
)
w.Header().Set(
corpHeader,
"same-site",
)
w.Header().Set(
coopHeader,
"same-origin",
)
w.Header().Set(
referrerHeader,
// - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
"strict-origin-when-cross-origin",
)
if r.TLS != nil {
w.Header().Set(
stsHeader,
// - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
// A max-age(in seconds) of 2yrs is recommended
getSts(60*24*time.Hour), // 60 days
)
}

@komuw
Copy link
Owner Author

komuw commented Jul 4, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant