func (cfg *Config) Handler(h http.Handler) http.Handler {
cfg.mustInit()
// TODO: nonce?
csp := "default-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; img-src 'self' https://www.google-analytics.com data:; form-action 'self'; plugin-types;"
if reportURI.Value() != "" {
csp += fmt.Sprintf(" report-uri %s;", reportURI.Value())
}
var h2 http.Handler = http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
cRequestsHandled.Inc()
miscctx.SetResponseWriter(rw, req)
context.Set(req, &ServerKey, cfg.Server)
hdr := rw.Header()
hdr.Set("X-Frame-Options", "DENY")
hdr.Set("X-Content-Type-Options", "nosniff")
hdr.Set("X-UA-Compatible", "ie=edge")
hdr.Set("Content-Security-Policy", csp)
if origin.IsSSL(req) {
hdr.Set("Strict-Transport-Security", "max-age=15552000")
}
if !opts.DevMode && !cfg.NoForceSSL && !origin.IsSSL(req) {
cfg.redirectHTTPS(rw, req)
return
}
if cfg.StripWWW && strings.HasPrefix(req.Host, "www.") {
cfg.redirectStripWWW(rw, req)
return
}
h.ServeHTTP(rw, req)
})
if cfg.SessionConfig != nil {
h2 = cfg.SessionConfig.InitHandler(h2)
}
if cfg.CAPTCHA == nil {
cfg.CAPTCHA = &captcha.Config{
DisallowHandlerNew: true,
Leeway: 1,
}
if captchaFontPathFlag.Value() != "" {
cfg.CAPTCHA.SetFontPath(captchaFontPathFlag.Value())
}
}
mux := http.NewServeMux()
mux.Handle("/", h2)
mux.Handle("/.captcha/", cfg.CAPTCHA.Handler("/.captcha/"))
mux.Handle("/.csp-report", cspreport.Handler)
mux.Handle("/.service-nexus/", servicenexus.Handler(h2))
return context.ClearHandler(timingHandler(errorhandler.Handler(methodOverride(mux))))
}
func (c *ctx) writeSessionCookieRaw(v string) {
maxAge := 0
if v == "" {
maxAge = -1
}
ck := http.Cookie{
Name: cookieNameFlag.Value(),
Value: v,
Path: "/",
MaxAge: maxAge,
Secure: origin.IsSSL(c.req),
HttpOnly: true,
}
replaceCookie(c.rw, &ck)
}