Skip to content

Commit

Permalink
#88 integrating secure http headers
Browse files Browse the repository at this point in the history
  • Loading branch information
jeevatkm committed Aug 9, 2017
1 parent bea1326 commit 79ef9b5
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 15 deletions.
40 changes: 36 additions & 4 deletions engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ const (
const (
aahServerName = "aah-go-server"
gzipContentEncoding = "gzip"
hstsHeaderValue = "max-age=31536000; includeSubDomains"
)

var (
Expand Down Expand Up @@ -331,10 +330,43 @@ func (e *engine) writeHeaders(ctx *Context) {

ctx.Res.Header().Set(ahttp.HeaderServer, aahServerName)

// Set the HSTS if SSL is enabled on aah server
// Know more: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
// Write application security headers with many safe defaults and
// configured header values.
secureHeaders := AppSecurityManager().SecureHeaders

// Write common secure headers for all request
for header, value := range secureHeaders.Common {
ctx.Res.Header().Set(header, value)
}

// Applied to all HTML Content-Type
if ahttp.ContentTypeHTML.IsEqual(ctx.Reply().ContType) {
// X-XSS-Protection
ctx.Res.Header().Set(ahttp.HeaderXXSSProtection, secureHeaders.XSSFilter)

// Content-Security-Policy (CSP) and applied only to environment `prod`
if appIsProfileProd && len(secureHeaders.CSP) > 0 {
if secureHeaders.CSPReportOnly {
ctx.Res.Header().Set(ahttp.HeaderContentSecurityPolicy+"-Report-Only", secureHeaders.CSP)
} else {
ctx.Res.Header().Set(ahttp.HeaderContentSecurityPolicy, secureHeaders.CSP)
}
}
}

// Apply only if HTTPS (SSL)
if AppIsSSLEnabled() {
ctx.Res.Header().Set(ahttp.HeaderStrictTransportSecurity, hstsHeaderValue)
// Public-Key-Pins PKP (aka HPKP) and applied only to environment `prod`
if appIsProfileProd && len(secureHeaders.PKP) > 0 {
if secureHeaders.PKPReportOnly {
ctx.Res.Header().Set(ahttp.HeaderPublicKeyPins+"-Report-Only", secureHeaders.PKP)
} else {
ctx.Res.Header().Set(ahttp.HeaderPublicKeyPins, secureHeaders.PKP)
}
}

// Strict-Transport-Security (STS, aka HSTS)
ctx.Res.Header().Set(ahttp.HeaderStrictTransportSecurity, secureHeaders.STS)
}
}

Expand Down
13 changes: 2 additions & 11 deletions security.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,17 +192,8 @@ func (e *engine) doAuthcAndAuthz(ascheme scheme.Schemer, ctx *Context) flowResul
//___________________________________

func initSecurity(appCfg *config.Config) error {
if err := appSecurityManager.Init(appCfg); err != nil {
return err
}

// Based on aah server SSL configuration `http.Cookie.Secure` value is set, even
// though it's true in aah.conf at `security.session.secure = true`.
if AppSessionManager() != nil {
AppSessionManager().Options.Secure = AppIsSSLEnabled()
}

return nil
appSecurityManager.IsSSLEnabled = AppIsSSLEnabled()
return appSecurityManager.Init(appCfg)
}

func isFormAuthLoginRoute(ctx *Context) bool {
Expand Down

0 comments on commit 79ef9b5

Please sign in to comment.