func main() { goji.Get("/", IndexHandler) // Doesn't need CSRF protection (no POST/PUT/DELETE actions). signup := web.New() goji.Handle("/signup/*", signup) // But our signup forms do, so we add nosurf to their middleware stack (only). signup.Use(nosurf.NewPure) signup.Get("/signup/new", ShowSignupForm) signup.Post("/signup/submit", SubmitSignupForm) admin := web.New() // A more advanced example: we enforce secure cookies (HTTPS only), // set a domain and keep the expiry time low. a := nosurf.New(admin) a.SetBaseCookie(http.Cookie{ Name: "csrf_token", Domain: "localhost", Path: "/admin", MaxAge: 3600 * 4, HttpOnly: true, Secure: true, }) // Our /admin/* routes now have CSRF protection. goji.Handle("/admin/*", a) goji.Serve() }
func TestNoCache(t *testing.T) { rr := httptest.NewRecorder() s := web.New() s.Use(NoCache) r, err := http.NewRequest("GET", "/", nil) if err != nil { t.Fatal(err) } s.ServeHTTP(rr, r) for k, v := range noCacheHeaders { if rr.HeaderMap[k][0] != v { t.Errorf("%s header not set by middleware.", k) } } }
// StartServer starts the web server func StartServer(bind string) { secureMiddleware := secure.New(secure.Options{ AllowedHosts: []string{"example.com", "ssl.example.com"}, FrameDeny: true, ContentTypeNosniff: true, BrowserXssFilter: true, IsDevelopment: true, }) m := web.New() m.Use(middleware.RealIP) m.Use(gojistatic.Static("web/public", gojistatic.StaticOptions{SkipLogging: true})) m.Use(middleware.EnvInit) m.Use(secureMiddleware.Handler) m.Use(SessionMiddleware) m.Use(nosurf.NewPure) m.Get("/", controllers.Home) m.Get("/about", controllers.About) m.Get("/ip", controllers.IP) m.Get("/oauth/authorize", controllers.OAuthAuthorize) m.Get("/oauth/callback", controllers.OAuthCallback) m.Get("/sign_out", controllers.SignOut) m.Get("/checks", controllers.ChecksIndex) m.Get("/checks/new", controllers.NewCheck) m.Get("/checks/:id", controllers.ShowCheck) m.Post("/checks/:id/delete", controllers.DeleteCheck) m.Post("/checks", controllers.CreateCheck) m.Get("/checks/:check_id/results", controllers.ResultsIndex) m.NotFound(controllers.NotFound) go graceful.ListenAndServe(bind, m) }