Exemplo n.º 1
0
func secureMiddleware(c *Config) negroni.Handler {
	csp := fmt.Sprintf("default-src *; script-src 'self' %s https://www.google-analytics.com 'unsafe-inline'; style-src 'self' %s 'unsafe-inline'; object-src 'self' %s;", c.AssetHost, c.AssetHost, c.AssetHost)
	secureMiddleware := secure.New(secure.Options{
		SSLRedirect:           true,
		STSSeconds:            315360000,
		SSLProxyHeaders:       map[string]string{"X-Forwarded-Proto": "https"},
		STSIncludeSubdomains:  true,
		FrameDeny:             true,
		ContentTypeNosniff:    true,
		BrowserXssFilter:      true,
		ContentSecurityPolicy: csp,
		IsDevelopment:         !c.IsProduction(),
	})

	return negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext)
}
Exemplo n.º 2
0
func TestIntegrationWithError(t *testing.T) {
	mux := http.NewServeMux()
	mux.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "bar")
	})

	secureMiddleware := New(Options{
		ContentTypeNosniff: true,
		FrameDeny:          true,
		AllowedHosts:       []string{"www.example.com", "sub.example.com"},
	})

	n := negroni.New()
	n.Use(negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext))
	n.UseHandler(mux)

	res := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "/foo", nil)
	req.Host = "www3.example.com"
	n.ServeHTTP(res, req)

	expect(t, res.Code, http.StatusInternalServerError)
}
Exemplo n.º 3
0
func TestIntegration(t *testing.T) {
	mux := http.NewServeMux()
	mux.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "bar")
	})

	secureMiddleware := New(Options{
		ContentTypeNosniff: true,
		FrameDeny:          true,
	})

	n := negroni.New()
	n.Use(negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext))
	n.UseHandler(mux)

	res := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
	n.ServeHTTP(res, req)

	expect(t, res.Code, http.StatusOK)
	expect(t, res.Body.String(), "bar")
	expect(t, res.Header().Get("X-Frame-Options"), "DENY")
	expect(t, res.Header().Get("X-Content-Type-Options"), "nosniff")
}