1 package secure 2 3 import "github.com/gin-gonic/gin" 4 5 // Config is a struct for specifying configuration options for the secure. 6 type Config struct { 7 // AllowedHosts is a list of fully qualified domain names that are allowed. 8 //Default is empty list, which allows any and all host names. 9 AllowedHosts []string 10 // If SSLRedirect is set to true, then only allow https requests. 11 // Default is false. 12 SSLRedirect bool 13 // If SSLTemporaryRedirect is true, the a 302 will be used while redirecting. 14 // Default is false (301). 15 SSLTemporaryRedirect bool 16 // SSLHost is the host name that is used to redirect http requests to https. 17 // Default is "", which indicates to use the same host. 18 SSLHost string 19 // STSSeconds is the max-age of the Strict-Transport-Security header. 20 // Default is 0, which would NOT include the header. 21 STSSeconds int64 22 // If STSIncludeSubdomains is set to true, the `includeSubdomains` will 23 // be appended to the Strict-Transport-Security header. Default is false. 24 STSIncludeSubdomains bool 25 // If FrameDeny is set to true, adds the X-Frame-Options header with 26 // the value of `DENY`. Default is false. 27 FrameDeny bool 28 // CustomFrameOptionsValue allows the X-Frame-Options header value 29 // to be set with a custom value. This overrides the FrameDeny option. 30 CustomFrameOptionsValue string 31 // If ContentTypeNosniff is true, adds the X-Content-Type-Options header 32 // with the value `nosniff`. Default is false. 33 ContentTypeNosniff bool 34 // If BrowserXssFilter is true, adds the X-XSS-Protection header with 35 // the value `1; mode=block`. Default is false. 36 BrowserXssFilter bool 37 // ContentSecurityPolicy allows the Content-Security-Policy header value 38 // to be set with a custom value. Default is "". 39 ContentSecurityPolicy string 40 // HTTP header "Referrer-Policy" governs which referrer information, sent in the Referrer header, should be included with requests made. 41 ReferrerPolicy string 42 // When true, the whole security policy applied by the middleware is disabled completely. 43 IsDevelopment bool 44 // Handlers for when an error occurs (ie bad host). 45 BadHostHandler gin.HandlerFunc 46 // Prevent Internet Explorer from executing downloads in your site’s context 47 IENoOpen bool 48 // Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser. 49 FeaturePolicy string 50 // If DontRedirectIPV4Hostnames is true, requests to hostnames that are IPV4 51 // addresses aren't redirected. This is to allow load balancer health checks 52 // to succeed. 53 DontRedirectIPV4Hostnames bool 54 55 // If the request is insecure, treat it as secure if any of the headers in this dict are set to their corresponding value 56 // This is useful when your app is running behind a secure proxy that forwards requests to your app over http (such as on Heroku). 57 SSLProxyHeaders map[string]string 58 } 59 60 // DefaultConfig returns a Configuration with strict security settings. 61 // ``` 62 // SSLRedirect: true 63 // IsDevelopment: false 64 // STSSeconds: 315360000 65 // STSIncludeSubdomains: true 66 // FrameDeny: true 67 // ContentTypeNosniff: true 68 // BrowserXssFilter: true 69 // ContentSecurityPolicy: "default-src 'self'" 70 // SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, 71 // ``` 72 func DefaultConfig() Config { 73 return Config{ 74 SSLRedirect: true, 75 IsDevelopment: false, 76 STSSeconds: 315360000, 77 STSIncludeSubdomains: true, 78 FrameDeny: true, 79 ContentTypeNosniff: true, 80 BrowserXssFilter: true, 81 ContentSecurityPolicy: "default-src 'self'", 82 IENoOpen: true, 83 SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, 84 } 85 } 86 87 // New creates an instance of the secure middleware using the specified configuration. 88 // router.Use(secure.N) 89 func New(config Config) gin.HandlerFunc { 90 policy := newPolicy(config) 91 return func(c *gin.Context) { 92 if !policy.applyToContext(c) { 93 return 94 } 95 } 96 } 97