forked from ribice/gorsk
/
secure.go
38 lines (35 loc) · 1.34 KB
/
secure.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package secure
import (
"github.com/labstack/echo"
"github.com/labstack/echo/middleware"
)
// Headers adds general security headers for basic security measures
func Headers() echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
// Protects from MimeType Sniffing
c.Response().Header().Set("X-Content-Type-Options", "nosniff")
// Prevents browser from prefetching DNS
c.Response().Header().Set("X-DNS-Prefetch-Control", "off")
// Denies website content to be served in an iframe
c.Response().Header().Set("X-Frame-Options", "DENY")
c.Response().Header().Set("Strict-Transport-Security", "max-age=5184000; includeSubDomains")
// Prevents Internet Explorer from executing downloads in site's context
c.Response().Header().Set("X-Download-Options", "noopen")
// Minimal XSS protection
c.Response().Header().Set("X-XSS-Protection", "1; mode=block")
return next(c)
}
}
}
// CORS adds Cross-Origin Resource Sharing support
func CORS() echo.MiddlewareFunc {
return middleware.CORSWithConfig(middleware.CORSConfig{
AllowOrigins: []string{"*"},
MaxAge: 86400,
AllowMethods: []string{"POST", "GET", "PUT", "DELETE", "PATCH", "HEAD"},
AllowHeaders: []string{"*"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
})
}