Skip to content

Bassinet is a set of middlewares to help secure HTTP headers

Notifications You must be signed in to change notification settings

guillem-gelabert/bassinet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Go Report Card

Bassinet

Bassinet is a set of 11 utility middlewares to help secure HTTP headers. It's based on the widely used helmet.js. Includes middleware functions for setting the following headers:

Usage

Initialize the middleware with the desired options —if any— and handle the returned error.

referrerPolicy, err := bassinet.ReferrerPolicy([]{
	bassinet.PolicyOrigin,
	bassinet.PolicyUnsafeURL,
})
if err != nil {
    // handle error
}

With ServeMux

To use bassinet with the builtin ServeMux you just wrap it with the initialized middleware.

mux := http.NewServeMux()
mux.HandleFunc("/", home)
srv := http.Server{
	Handler: referrerPolicy(mux)
}

As you might probably want to chain several of the middlewares it is recommended to use a composing function.

With justinas/alice

xssFilter, err := bassinet.XSSFilter()
if err != nil {
    // handle error
}
htsts, err := bassinet.StrictTransportSecurity(StrictTransportOption{
	maxAge:            60,
  excludeSubdomains: true,
})
if err != nil {
	// handle error
}

middleware := alice.New(xssFilter, htsts)

Response Headers

X-XSS-Protection

XSSFilter sets X-XSS-Protection header to 0 to prevent attackers from blocking legit code or inferring information. Read more. XSSFilter accepts no options.

xssFilter, err := bassinet.XSSFilter()
if err != nil {
	// Handle error
}

srv := http.Server{
	Handler: xssFilter(mux)
}

Strict-Transport-Security

StrictTransportSecurity sets Strict-Transport-Security so that browsers remember if HTTPS is available, to avoid insecure connection before redirect. Read more.

It accepts a bassinet.StrictTransportOptions struct to set the following directives:

  • maxAge: Time (in seconds) that the browser should remember if the site has HTTPS. Defaults to 180 days. int
  • excludeSubdomains: Optional. If set the browser will apply directive to subdomains. bool
  • preload: Optional. If set the browser will check the Preloading Strict Transport Security public list, enabling STS also on first load. bool
policies := bassinet.StrictTransportOptions{
	maxAge:            60 * 60 * 24 * 7, // recheck every week
	excludeSubdomains: true,
	preload: true,
}

sts, err := bassinet.StrictTransportSecurity(policies)
if err != nil {
	// Handle error
}

srv := http.Server{
	Handler: sts(mux)
}

X-Permitted-Cross-Domain-Policies

PermittedCrossDomainPolicies sets X-Permitted-Cross-Domain-Policies header to tell some user-agents (most notably Adobe products) your domain's policy for loading cross-domain content. Read more.

Accepts the following policies:

  • PCDPNone: No crossdomain.xml file is allowed.
  • PCDPMasterOnly: Only check crossdomain.xml in the root directory of the website.
  • PCDPByContentType: Only accept files with type text/x-cross-domain-policy.
  • PCDPAll: Allow any crossdomain.xml files.
permittedCrossDomainPolicies, err := bassinet.PermittedCrossDomainPolicies(bassinet.PCDPByContentType)
if err != nil {
	// Handle error
}

srv := http.Server{
	Handler: permittedCrossDomainPolicies(mux)
}

X-Download-Options

IeNoOpen sets X-Download-Options to noopen to prevent IE users to execute downloads in your site's context. Read more.

ieNoOpen := bassinet.IeNoOpen()

srv := http.Server{
	Handler: ieNoOpen(mux)
}

About

Bassinet is a set of middlewares to help secure HTTP headers

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages