Add configurable HSTS and some other headers

This commit is contained in:
Ken-Håvard Lieng 2016-01-25 22:41:54 +01:00
parent df02d27674
commit 068f3c04a0
3 changed files with 66 additions and 36 deletions

View File

@ -58,3 +58,10 @@ secret = ""
[auth.twitter] [auth.twitter]
key = "" key = ""
secret = "" secret = ""
# Strict-Transport-Security
[https.hsts]
enabled = false
max_age = 31536000
include_subdomains = false
preload = false

View File

@ -10,7 +10,7 @@ import (
var ( var (
index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href="https://fonts.googleapis.com/css?family=Montserrat:400,700|Roboto+Mono:400,700" rel=stylesheet><link href=/`) index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href="https://fonts.googleapis.com/css?family=Montserrat:400,700|Roboto+Mono:400,700" rel=stylesheet><link href=/`)
index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`) index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`)
index_2 = []byte(`;</script><script src=/`) index_2 = []byte(`</script><script src=/`)
index_3 = []byte(`></script></body></html>`) index_3 = []byte(`></script></body></html>`)
) )

View File

@ -17,40 +17,44 @@ import (
"github.com/khlieng/dispatch/assets" "github.com/khlieng/dispatch/assets"
) )
var files = []File{ var (
File{ files = []File{
Path: "bundle.js", File{
Asset: "bundle.js.gz", Path: "bundle.js",
ContentType: "text/javascript", Asset: "bundle.js.gz",
CacheControl: "max-age=31536000", ContentType: "text/javascript",
}, CacheControl: "max-age=31536000",
File{ },
Path: "bundle.css", File{
Asset: "bundle.css.gz", Path: "bundle.css",
ContentType: "text/css", Asset: "bundle.css.gz",
CacheControl: "max-age=31536000", ContentType: "text/css",
}, CacheControl: "max-age=31536000",
File{ },
Path: "font/fontello.woff", File{
Asset: "font/fontello.woff.gz", Path: "font/fontello.woff",
ContentType: "application/font-woff", Asset: "font/fontello.woff.gz",
}, ContentType: "application/font-woff",
File{ },
Path: "font/fontello.ttf", File{
Asset: "font/fontello.ttf.gz", Path: "font/fontello.ttf",
ContentType: "application/x-font-ttf", Asset: "font/fontello.ttf.gz",
}, ContentType: "application/x-font-ttf",
File{ },
Path: "font/fontello.eot", File{
Asset: "font/fontello.eot.gz", Path: "font/fontello.eot",
ContentType: "application/vnd.ms-fontobject", Asset: "font/fontello.eot.gz",
}, ContentType: "application/vnd.ms-fontobject",
File{ },
Path: "font/fontello.svg", File{
Asset: "font/fontello.svg.gz", Path: "font/fontello.svg",
ContentType: "image/svg+xml", Asset: "font/fontello.svg.gz",
}, ContentType: "image/svg+xml",
} },
}
hstsHeader string
)
type File struct { type File struct {
Path string Path string
@ -76,6 +80,17 @@ func initFileServer() {
hash = md5.Sum(data) hash = md5.Sum(data)
files[1].Path = "bundle." + base64.RawURLEncoding.EncodeToString(hash[:]) + ".css" files[1].Path = "bundle." + base64.RawURLEncoding.EncodeToString(hash[:]) + ".css"
if viper.GetBool("https.hsts.enabled") {
hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
if viper.GetBool("https.hsts.include_subdomains") {
hstsHeader += "; includeSubDomains"
}
if viper.GetBool("https.hsts.preload") {
hstsHeader += "; preload"
}
}
} }
} }
@ -112,11 +127,19 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
return return
} }
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Content-Type", "text/html") w.Header().Set("Content-Type", "text/html")
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("X-Frame-Options", "deny")
w.Header().Set("X-XSS-Protection", "1; mode=block")
if hstsHeader != "" {
w.Header().Set("Strict-Transport-Security", hstsHeader)
}
if strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") { if strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
w.Header().Set("Content-Encoding", "gzip") w.Header().Set("Content-Encoding", "gzip")
gzw := gzip.NewWriter(w) gzw := gzip.NewWriter(w)
renderIndex(gzw, session) renderIndex(gzw, session)
gzw.Close() gzw.Close()