issues/445: Rename security middleware to csp (#461)

- Updates: #445
komuw · Jun 18, 2024 · f2c39ac · f2c39ac
1 parent b711fc1
commit f2c39ac
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ Most recent version is listed first.
 - ong/middleware: Fix a number of CORS issues: https://github.com/komuw/ong/pull/442
 - ong/middleware: Eliminate panics: https://github.com/komuw/ong/pull/459
 - ong/middleware: AntiReplay function should not take a pointer to request: https://github.com/komuw/ong/pull/460
+- ong/middleware: Rename security middleware to csp: https://github.com/komuw/ong/pull/461
 
 # v0.1.1
 - ong/middleware: do not show hint: https://github.com/komuw/ong/pull/457 

diff --git a/middleware/security.go → middleware/csp.go b/middleware/security.go → middleware/csp.go
@@ -32,10 +32,10 @@ const (
 	cspBytesTokenLength = csrfBytesTokenLength
 )
 
-// securityHeaders is a middleware that adds some important HTTP security headers and assigns them sensible default values.
+// csp is a middleware that sets Content-Security-Policy(CSP) and adds some important HTTP security headers and assigns them sensible default values.
 //
-// Some of the headers set are Permissions-Policy, Content-securityHeaders-Policy, X-Content-Type-Options, X-Frame-Options, Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, Referrer-Policy & Strict-Transport-securityHeaders
-func securityHeaders(wrappedHandler http.Handler, domain string) http.HandlerFunc {
+// Some of the headers set are Permissions-Policy, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, Referrer-Policy & Strict-Transport-Security
+func csp(wrappedHandler http.Handler, domain string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 
@@ -116,16 +116,15 @@ func securityHeaders(wrappedHandler http.Handler, domain string) http.HandlerFun
 func GetCspNonce(c context.Context) string {
 	v := c.Value(cspCtxKey)
 	if v != nil {
-		s, ok := v.(string)
-		if ok {
+		if s, ok := v.(string); ok {
 			return s
 		}
 	}
 	return cspDefaultNonce
 }
 
 func getCsp(domain, nonce string) string {
-	// content is only permitted from:
+	// This csp only permitts content from:
 	// - the document's origin(and subdomains)
 	// - images may load from anywhere
 	// - media is allowed from domain(and its subdomains)

diff --git a/middleware/security_test.go → middleware/csp_test.go b/middleware/security_test.go → middleware/csp_test.go
@@ -31,7 +31,7 @@ func TestSecurity(t *testing.T) {
 
 		msg := "hello"
 		domain := "example.com"
-		wrappedHandler := securityHeaders(echoHandler(msg), domain)
+		wrappedHandler := csp(echoHandler(msg), domain)
 
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, "/someUri", nil)
@@ -52,7 +52,7 @@ func TestSecurity(t *testing.T) {
 
 		msg := "hello"
 		domain := "example.com"
-		wrappedHandler := securityHeaders(echoHandler(msg), domain)
+		wrappedHandler := csp(echoHandler(msg), domain)
 
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, "/someUri", nil)
@@ -86,7 +86,7 @@ func TestSecurity(t *testing.T) {
 		domain := "example.com"
 		// for this concurrency test, we have to re-use the same wrappedHandler
 		// so that state is shared and thus we can see if there is any state which is not handled correctly.
-		wrappedHandler := securityHeaders(echoHandler(msg), domain)
+		wrappedHandler := csp(echoHandler(msg), domain)
 
 		runhandler := func() {
 			rec := httptest.NewRecorder()
@@ -124,7 +124,7 @@ func TestGetCspNonce(t *testing.T) {
 
 		msg := "hello"
 		domain := "example.com"
-		wrappedHandler := securityHeaders(echoHandler(msg), domain)
+		wrappedHandler := csp(echoHandler(msg), domain)
 
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, "/someUri", nil)

diff --git a/middleware/middleware.go b/middleware/middleware.go
@@ -134,7 +134,7 @@ func allDefaultMiddlewares(
 								loadShedder(
 									acme.Handler(
 										httpsRedirector(
-											securityHeaders(
+											csp(
 												cors(
 													csrf(
 														// TODO: re-enable after https://github.com/komuw/ong/issues/447 is fixed.