Пример #1
0
func (cfg *Config) Handler(h http.Handler) http.Handler {
	cfg.mustInit()

	// TODO: nonce?
	csp := "default-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; img-src 'self' https://www.google-analytics.com data:; form-action 'self'; plugin-types;"
	if reportURI.Value() != "" {
		csp += fmt.Sprintf(" report-uri %s;", reportURI.Value())
	}

	var h2 http.Handler = http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
		cRequestsHandled.Inc()

		miscctx.SetResponseWriter(rw, req)
		context.Set(req, &ServerKey, cfg.Server)

		hdr := rw.Header()
		hdr.Set("X-Frame-Options", "DENY")
		hdr.Set("X-Content-Type-Options", "nosniff")
		hdr.Set("X-UA-Compatible", "ie=edge")
		hdr.Set("Content-Security-Policy", csp)
		if origin.IsSSL(req) {
			hdr.Set("Strict-Transport-Security", "max-age=15552000")
		}

		if !opts.DevMode && !cfg.NoForceSSL && !origin.IsSSL(req) {
			cfg.redirectHTTPS(rw, req)
			return
		}

		if cfg.StripWWW && strings.HasPrefix(req.Host, "www.") {
			cfg.redirectStripWWW(rw, req)
			return
		}

		h.ServeHTTP(rw, req)
	})

	if cfg.SessionConfig != nil {
		h2 = cfg.SessionConfig.InitHandler(h2)
	}

	if cfg.CAPTCHA == nil {
		cfg.CAPTCHA = &captcha.Config{
			DisallowHandlerNew: true,
			Leeway:             1,
		}

		if captchaFontPathFlag.Value() != "" {
			cfg.CAPTCHA.SetFontPath(captchaFontPathFlag.Value())
		}
	}

	mux := http.NewServeMux()
	mux.Handle("/", h2)
	mux.Handle("/.captcha/", cfg.CAPTCHA.Handler("/.captcha/"))
	mux.Handle("/.csp-report", cspreport.Handler)
	mux.Handle("/.service-nexus/", servicenexus.Handler(h2))
	return context.ClearHandler(timingHandler(errorhandler.Handler(methodOverride(mux))))
}
Пример #2
0
func (c *ctx) writeSessionCookieRaw(v string) {
	maxAge := 0
	if v == "" {
		maxAge = -1
	}

	ck := http.Cookie{
		Name:     cookieNameFlag.Value(),
		Value:    v,
		Path:     "/",
		MaxAge:   maxAge,
		Secure:   origin.IsSSL(c.req),
		HttpOnly: true,
	}

	replaceCookie(c.rw, &ck)
}