README
¶
Helmet
HTTP security headers middleware for Go(lang) inspired by HelmetJS.
Helmet helps you secure your Golang web applications by setting various HTTP security headers. It's not a silver bullet, but it can help!
Quick Start
go get github.com/MagnusFrater/helmet
package main
import (
"fmt"
"log"
"net/http"
"github.com/MagnusFrater/helmet"
)
func main() {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "I love HelmetJS, I just wish there was a Go(lang) equivalent...")
})
helmet := helmet.Default()
http.Handle("/", helmet.Secure(handler))
log.Fatal(http.ListenAndServe(":8080", nil))
}
This code sample can be found in /examples/01-quick-start.
How It Works
Helmet is a collection of 12 smaller middleware functions that set HTTP security response headers. Initializing via helmet.Default() will not include all of these middleware functions by default.
| Module | Default |
|---|---|
| Content-Security-Policy | |
| X-Content-Type-Options | nosniff |
| X-DNS-Prefetch-Control | off |
| X-Download-Options | noopen |
| Expect-CT | |
| Feature-Policy | |
| X-Frame-Options | SAMEORIGIN |
| X-Permitted-Cross-Domain-Policies | |
| X-Powered-By | Removes the X-Powered-By header |
| Referrer-Policy | |
| Strict-Transport-Security | max-age=5184000; includeSubDomains (60 days) |
| X-XSS-Protection | 1; mode=block |
You can see more in the documentation.
Helmet is open source under the MIT License.
Gopher image by Renee French, licensed under CC 3.0 license.
Helmet icon by Hand-Drawn Goods, licensed under CC 3.0 license.
Gopher + Helmet remix by Emily Wilson, licensed under CC 3.0 license.
Documentation
¶
Index ¶
- Constants
- type CSPDirective
- type CSPSource
- type ContentSecurityPolicy
- func (csp *ContentSecurityPolicy) Add(directive CSPDirective, sources ...CSPSource)
- func (csp *ContentSecurityPolicy) Empty() bool
- func (csp *ContentSecurityPolicy) Header(w http.ResponseWriter)
- func (csp *ContentSecurityPolicy) Remove(directives ...CSPDirective)
- func (csp *ContentSecurityPolicy) String() string
- type ExpectCT
- type ExpectCTDirective
- type FeaturePolicy
- type FeaturePolicyDirective
- type FeaturePolicyOrigin
- type HSTSDirective
- type Helmet
- type ReferrerPolicy
- type ReferrerPolicyDirective
- type StrictTransportSecurity
- type XContentTypeOptions
- type XDNSPrefetchControl
- type XDownloadOptions
- type XFrameOptions
- type XPermittedCrossDomainPolicies
- type XPoweredBy
- type XXSSProtection
- type XXSSProtectionDirective
Constants ¶
const HeaderContentSecurityPolicy = "Content-Security-Policy"
HeaderContentSecurityPolicy is the Content-Security-Policy HTTP security header.
const HeaderExpectCT = "Expect-CT"
HeaderExpectCT is the Expect-CT HTTP security header.
const HeaderFeaturePolicy = "Feature-Policy"
HeaderFeaturePolicy is the Feature-Policy HTTP security header.
const HeaderReferrerPolicy = "Referrer-Policy"
HeaderReferrerPolicy is the Referrer-Policy HTTP security header.
const HeaderStrictTransportSecurity = "Strict-Transport-Security"
HeaderStrictTransportSecurity is the Strict-Transport-Security HTTP security header.
const HeaderXContentTypeOptions = "X-Content-Type-Options"
HeaderXContentTypeOptions is the X-Content-Type-Options HTTP header.
const HeaderXDNSPrefetchControl = "X-DNS-Prefetch-Control"
HeaderXDNSPrefetchControl is the X-DNS-Prefetch-Control HTTP header.
const HeaderXDownloadOptions = "X-Download-Options"
HeaderXDownloadOptions is the X-Download-Options HTTP header.
const HeaderXFrameOptions = "X-Frame-Options"
HeaderXFrameOptions is the X-Frame-Options HTTP security header.
const HeaderXPermittedCrossDomainPolicies = "X-Permitted-Cross-Domain-Policies"
HeaderXPermittedCrossDomainPolicies is the X-Permitted-Cross-Domain-Policies HTTP security header.
const HeaderXPoweredBy = "X-Powered-By"
HeaderXPoweredBy is the X-Powered-By HTTP security header.
const HeaderXXSSProtection = "X-XSS-Protection"
HeaderXXSSProtection is the X-XSS-Protection HTTP security header.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CSPDirective ¶
type CSPDirective string
CSPDirective represents a Content-Security-Policy directive.
const ( DirectiveBaseURI CSPDirective = "base-uri" DirectiveBlockAllMixedContent CSPDirective = "block-all-mixed-content" DirectiveChildSrc CSPDirective = "child-src" DirectiveConnectSrc CSPDirective = "connect-src" DirectiveDefaultSrc CSPDirective = "default-src" DirectiveFontSrc CSPDirective = "font-src" DirectiveFormAction CSPDirective = "form-action" DirectiveFrameAncestors CSPDirective = "frame-ancestors" DirectiveFrameSrc CSPDirective = "frame-src" DirectiveImgSrc CSPDirective = "img-src" DirectiveManifestSrc CSPDirective = "manifest-src" DirectiveMediaSrc CSPDirective = "media-src" DirectiveObjectSrc CSPDirective = "object-src" DirectivePluginTypes CSPDirective = "plugin-types" DirectivePrefetchSrc CSPDirective = "prefetch-src" DirectiveReportTo CSPDirective = "report-to" DirectiveSandbox CSPDirective = "sandbox" DirectiveScriptSrc CSPDirective = "script-src" DirectiveScriptSrcAttr CSPDirective = "script-src-attr" DirectiveScriptSrcElem CSPDirective = "script-src-elem" DirectiveStyleSrc CSPDirective = "style-src" DirectiveStyleSrcAttr CSPDirective = "style-src-attr" DirectiveStyleSrcElem CSPDirective = "style-src-elem" DirectiveTrustedTypes CSPDirective = "trusted-types" DirectiveUpgradeInsecureRequests CSPDirective = "upgrade-insecure-requests" DirectiveWorkerSrc CSPDirective = "worker-src" // deprecated DeprecatedDirectiveReferrer CSPDirective = "referrer" // use 'Referrer-Policy' HTTP header instead DeprecatedDirectiveReportURI CSPDirective = "report-uri" // use 'report-to' Content-Security-Policy directive instead DeprecatedDirectiveRequireSriFor CSPDirective = "require-sri-for" )
List of all Content-Security-Policy directives.
type CSPSource ¶
type CSPSource string
CSPSource represents a Content-Security-Policy source.
const ( SourceWildcard CSPSource = "*" SourceNone CSPSource = "'none'" SourceSelf CSPSource = "'self'" SourceHTTP CSPSource = "http:" SourceHTTPS CSPSource = "https:" SourceData CSPSource = "data:" SourceMediastream CSPSource = "mediastream:" SourceBlob CSPSource = "blob:" SourceFilesystem CSPSource = "filesystem:" SourceUnsafeEval CSPSource = "'unsafe-eval'" SourceUnsafeHashes CSPSource = "'unsafe-hashes'" SourceUnsafeInline CSPSource = "'unsafe-inline'" SourceStrictDynamic CSPSource = "'strict-dynamic'" SourceReportSample CSPSource = "'report-sample'" )
List of all Content-Security-Policy sources.
const ( DeprecatedReferrerNone CSPSource = "\"none\"" DeprecatedReferrerNoReferrer CSPSource = "\"no-referrer\"" DeprecatedReferrerNoneWhenDowngrade CSPSource = "\"none-when-downgrade\"" DeprecatedReferrerOrigin CSPSource = "\"origin\"" DeprecatedReferrerOriginWhenCrossOrigin CSPSource = "\"origin-when-cross-origin\"" DeprecatedReferrerUnsafeURL CSPSource = "\"unsafe-url\"" )
List of all DeprecatedDirectiveReferrer values.
const ( SandboxAllowDownloadsWithoutUserActivation CSPSource = "allow-downloads-without-user-activation" SandboxAllowForms CSPSource = "allow-forms" SandboxAllowModals CSPSource = "allow-modals" SandboxAllowOrientationLock CSPSource = "allow-orientation-lock" SandboxAllowPointerLock CSPSource = "allow-pointer-lock" SandboxAllowPopups CSPSource = "allow-popups" SandboxAllowPopupsToEscapeSandbox CSPSource = "allow-popups-to-escape-sandbox" SandboxAllowPresentation CSPSource = "allow-presentation" SandboxAllowSameOrigin CSPSource = "allow-same-origin" SandboxAllowScripts CSPSource = "allow-scripts" SandboxAllowStorageAccessByUserActivatation CSPSource = "allow-storage-access-by-user-activation" )
List of all DirectiveSandbox values.
const (
TrustedTypesAllowDuplicates CSPSource = "allow-duplicates"
)
List of all DirectiveTrustedTypes values.
type ContentSecurityPolicy ¶
type ContentSecurityPolicy struct {
// contains filtered or unexported fields
}
ContentSecurityPolicy represents the Content-Security-Policy HTTP security header.
func EmptyContentSecurityPolicy ¶
func EmptyContentSecurityPolicy() *ContentSecurityPolicy
EmptyContentSecurityPolicy creates a blank slate Content-Security-Policy.
func NewContentSecurityPolicy ¶
func NewContentSecurityPolicy(policies map[CSPDirective][]CSPSource) *ContentSecurityPolicy
NewContentSecurityPolicy creates a new Content-Security-Policy.
func (*ContentSecurityPolicy) Add ¶
func (csp *ContentSecurityPolicy) Add(directive CSPDirective, sources ...CSPSource)
Add adds a directive and its sources.
func (*ContentSecurityPolicy) Empty ¶ added in v0.7.0
func (csp *ContentSecurityPolicy) Empty() bool
Empty returns whether the Content-Security-Policy is empty.
func (*ContentSecurityPolicy) Header ¶
func (csp *ContentSecurityPolicy) Header(w http.ResponseWriter)
Header adds the Content-Security-Policy HTTP security header to the given http.ResponseWriter.
func (*ContentSecurityPolicy) Remove ¶
func (csp *ContentSecurityPolicy) Remove(directives ...CSPDirective)
Remove removes a directive and its sources.
func (*ContentSecurityPolicy) String ¶
func (csp *ContentSecurityPolicy) String() string
String generates the Content-Security-Policy.
type ExpectCT ¶
type ExpectCT struct {
MaxAge int // number of seconds that the browser should cache and apply the received policy for
Enforce bool // controls whether the browser should enforce the policy or treat it as report-only mode
ReportURI string // specifies where the browser should send reports if it does not receive valid CT information
// contains filtered or unexported fields
}
ExpectCT represents the Expect-CT HTTP security header.
func NewExpectCT ¶
NewExpectCT creates a new Expect-CT.
func (*ExpectCT) Header ¶
func (ect *ExpectCT) Header(w http.ResponseWriter)
Header adds the Expect-CT HTTP security header to the given http.ResponseWriter.
type ExpectCTDirective ¶
type ExpectCTDirective string
ExpectCTDirective represents an Expect-CT directive.
const DirectiveEnforce ExpectCTDirective = "enforce"
DirectiveEnforce is the Expect-CT Enforce directive.
func ExpectCTDirectiveMaxAge ¶
func ExpectCTDirectiveMaxAge(maxAge int) ExpectCTDirective
ExpectCTDirectiveMaxAge is the Expect-CT MaxAge directive.
func ExpectCTDirectiveReportURI ¶
func ExpectCTDirectiveReportURI(reportURI string) ExpectCTDirective
ExpectCTDirectiveReportURI is the Expect-CT ReportURI directive.
type FeaturePolicy ¶
type FeaturePolicy struct {
// contains filtered or unexported fields
}
FeaturePolicy represents the Feature-Policy HTTP security header.
func EmptyFeaturePolicy ¶
func EmptyFeaturePolicy() *FeaturePolicy
EmptyFeaturePolicy creates a blank slate Feature-Policy.
func NewFeaturePolicy ¶
func NewFeaturePolicy(policies map[FeaturePolicyDirective][]FeaturePolicyOrigin) *FeaturePolicy
NewFeaturePolicy creates a new Feature-Policy.
func (*FeaturePolicy) Add ¶
func (fp *FeaturePolicy) Add(directive FeaturePolicyDirective, origins ...FeaturePolicyOrigin)
Add adds a directive and its origins.
func (*FeaturePolicy) Empty ¶ added in v0.7.0
func (fp *FeaturePolicy) Empty() bool
Empty returns whether the Feature-Policy is empty.
func (*FeaturePolicy) Header ¶
func (fp *FeaturePolicy) Header(w http.ResponseWriter)
Header adds the Feature-Policy HTTP security header to the given http.ResponseWriter.
func (*FeaturePolicy) Remove ¶
func (fp *FeaturePolicy) Remove(directives ...FeaturePolicyDirective)
Remove removes a directive and its origins.
func (*FeaturePolicy) String ¶
func (fp *FeaturePolicy) String() string
String generates the Feature-Policy.
type FeaturePolicyDirective ¶
type FeaturePolicyDirective string
FeaturePolicyDirective represents a Feature-Policy directive.
const ( DirectiveAccelerometer FeaturePolicyDirective = "accelerometer" DirectiveAmbientLightSensor FeaturePolicyDirective = "ambient-light-sensor" DirectiveAutoplay FeaturePolicyDirective = "autoplay" DirectiveBattery FeaturePolicyDirective = "battery" DirectiveCamera FeaturePolicyDirective = "camera" DirectiveDisplayCapture FeaturePolicyDirective = "display-capture" DirectiveDocumentDomain FeaturePolicyDirective = "document-domain" DirectiveEncryptedMedia FeaturePolicyDirective = "encrypted-media" DirectiveExecutionWhileNotRendered FeaturePolicyDirective = "execution-while-not-rendered" DirectiveExecutionWhileOutOfViewport FeaturePolicyDirective = "execution-while-out-of-viewport" DirectiveFullscreen FeaturePolicyDirective = "fullscreen" DirectiveGeolocation FeaturePolicyDirective = "geolocation" DirectiveGyroscope FeaturePolicyDirective = "gyroscope" DirectiveLayoutAnimations FeaturePolicyDirective = "layout-animations" DirectiveLegacyImageFormats FeaturePolicyDirective = "legacy-image-formats" DirectiveMagnetometer FeaturePolicyDirective = "magnetometer" DirectiveMicrophone FeaturePolicyDirective = "microphone" DirectiveMidi FeaturePolicyDirective = "midi" DirectiveOversizedImages FeaturePolicyDirective = "oversized-images" DirectivePayment FeaturePolicyDirective = "payment" DirectivePictureInPicture FeaturePolicyDirective = "picture-in-picture" DirectivePublicKeyCredentials FeaturePolicyDirective = "publickey-credentials" DirectiveSyncXHR FeaturePolicyDirective = "sync-xhr" DirectiveUSB FeaturePolicyDirective = "usb" DirectiveWakeLock FeaturePolicyDirective = "wake-lock" DirectiveXRSpacialTracking FeaturePolicyDirective = "xr-spatial-tracking" // deprecated DeprecatedDirectiveVibrate FeaturePolicyDirective = "vibrate" DeprecatedDirectiveVR FeaturePolicyDirective = "vr" )
List of all Feature-Policy directives.
type FeaturePolicyOrigin ¶
type FeaturePolicyOrigin string
FeaturePolicyOrigin represents a Feature-Policy origin.
const ( OriginWildcard FeaturePolicyOrigin = "*" OriginSelf FeaturePolicyOrigin = "'self'" OriginSrc FeaturePolicyOrigin = "'src'" OriginNone FeaturePolicyOrigin = "'none'" )
List of all Feature-Policy origins.
type HSTSDirective ¶
type HSTSDirective string
HSTSDirective represents a Strict-Transport-Security directive.
const ( DirectiveIncludeSubDomains HSTSDirective = "includeSubDomains" DirectivePreload HSTSDirective = "preload" )
List of all Strict-Transport-Security directives.
func HSTSDirectiveMaxAge ¶
func HSTSDirectiveMaxAge(maxAge int) HSTSDirective
HSTSDirectiveMaxAge is the Strict-Transport-Security MaxAge directive.
type Helmet ¶
type Helmet struct {
ContentSecurityPolicy *ContentSecurityPolicy
XContentTypeOptions XContentTypeOptions
XDNSPrefetchControl XDNSPrefetchControl
XDownloadOptions XDownloadOptions
ExpectCT *ExpectCT
FeaturePolicy *FeaturePolicy
XFrameOptions XFrameOptions
XPermittedCrossDomainPolicies XPermittedCrossDomainPolicies
XPoweredBy *XPoweredBy
ReferrerPolicy *ReferrerPolicy
StrictTransportSecurity *StrictTransportSecurity
XXSSProtection *XXSSProtection
}
Helmet is a HTTP security middleware for Go(lang) inspired by HelmetJS for Express.js.
type ReferrerPolicy ¶ added in v0.7.0
type ReferrerPolicy struct {
// contains filtered or unexported fields
}
ReferrerPolicy represents the Referrer-Policy HTTP security header.
func EmptyReferrerPolicy ¶ added in v0.7.0
func EmptyReferrerPolicy() *ReferrerPolicy
EmptyReferrerPolicy creates a blank slate Referrer-Policy.
func NewReferrerPolicy ¶ added in v0.7.0
func NewReferrerPolicy(directives ...ReferrerPolicyDirective) *ReferrerPolicy
NewReferrerPolicy creates a new Referrer-Policy.
func (*ReferrerPolicy) Empty ¶ added in v0.7.0
func (rp *ReferrerPolicy) Empty() bool
Empty returns whether the Referrer-Policy is empty.
func (*ReferrerPolicy) Header ¶ added in v0.7.0
func (rp *ReferrerPolicy) Header(w http.ResponseWriter)
Header adds the Referrer-Policy HTTP header to the given http.ResponseWriter.
func (*ReferrerPolicy) String ¶ added in v0.7.0
func (rp *ReferrerPolicy) String() string
type ReferrerPolicyDirective ¶ added in v0.7.0
type ReferrerPolicyDirective string
ReferrerPolicyDirective represents a Referrer-Policy directive.
const ( DirectiveNoReferrer ReferrerPolicyDirective = "no-referrer" DirectiveNoReferrerWhenDowngrade ReferrerPolicyDirective = "no-referrer-when-downgrade" DirectiveOrigin ReferrerPolicyDirective = "origin" DirectiveOriginWhenCrossOrigin ReferrerPolicyDirective = "origin-when-cross-origin" DirectiveSmaeOrigin ReferrerPolicyDirective = "same-origin" DirectiveStrictOrigin ReferrerPolicyDirective = "strict-origin" DirectiveStrictOriginWhenCrossOrigin ReferrerPolicyDirective = "strict-origin-when-cross-origin" DirectiveUnsafeURL ReferrerPolicyDirective = "unsafe-url" )
X-Frame-Options options.
type StrictTransportSecurity ¶
type StrictTransportSecurity struct {
// The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
MaxAge int
// If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
IncludeSubDomains bool
// After successfully submitting your domain to Google maintained HSTS preload service, browsers will never connect to your domain using an insecure connection.
Preload bool
// contains filtered or unexported fields
}
StrictTransportSecurity represents the Strict-Transport-Security HTTP security header.
func EmptyStrictTransportSecurity ¶
func EmptyStrictTransportSecurity() *StrictTransportSecurity
EmptyStrictTransportSecurity creates a blank slate Strict-Transport-Security.
func NewStrictTransportSecurity ¶
func NewStrictTransportSecurity(maxAge int, includeSubDomains bool, preload bool) *StrictTransportSecurity
NewStrictTransportSecurity creates a new Strict-Transport-Security.
func (*StrictTransportSecurity) Empty ¶ added in v0.7.0
func (hsts *StrictTransportSecurity) Empty() bool
Empty returns whether the Strict-Transport-Security is empty.
func (*StrictTransportSecurity) Header ¶
func (hsts *StrictTransportSecurity) Header(w http.ResponseWriter)
Header adds the Strict-Transport-Security HTTP security header to the given http.ResponseWriter.
func (*StrictTransportSecurity) String ¶
func (hsts *StrictTransportSecurity) String() string
type XContentTypeOptions ¶ added in v0.6.0
type XContentTypeOptions string
XContentTypeOptions represents the X-Content-Type-Options HTTP security header.
const XContentTypeOptionsNoSniff XContentTypeOptions = "nosniff"
XContentTypeOptionsNoSniff represents the X-Content-Type-Options No Sniff option.
func (XContentTypeOptions) Empty ¶ added in v0.7.0
func (xcto XContentTypeOptions) Empty() bool
Empty returns whether the X-Content-Type-Options is empty.
func (XContentTypeOptions) Header ¶ added in v0.6.0
func (xcto XContentTypeOptions) Header(w http.ResponseWriter)
Header adds the X-Content-Type-Options HTTP security header to the given http.ResponseWriter.
func (XContentTypeOptions) String ¶ added in v0.6.0
func (xcto XContentTypeOptions) String() string
type XDNSPrefetchControl ¶
type XDNSPrefetchControl string
XDNSPrefetchControl represents the X-DNS-Prefetch-Control HTTP security header.
const ( XDNSPrefetchControlOn XDNSPrefetchControl = "on" XDNSPrefetchControlOff XDNSPrefetchControl = "off" )
X-DNS-Prefetch-Control options.
func (XDNSPrefetchControl) Empty ¶ added in v0.7.0
func (dns XDNSPrefetchControl) Empty() bool
Empty returns whether the X-DNS-Prefetch-Control is empty.
func (XDNSPrefetchControl) Header ¶
func (dns XDNSPrefetchControl) Header(w http.ResponseWriter)
Header adds the X-DNS-Prefetch-Control HTTP security header to the given http.ResponseWriter.
func (XDNSPrefetchControl) String ¶
func (dns XDNSPrefetchControl) String() string
type XDownloadOptions ¶ added in v0.6.0
type XDownloadOptions string
XDownloadOptions represents the X-Download-Options HTTP security header.
const XDownloadOptionsNoOpen XDownloadOptions = "noopen"
XDownloadOptionsNoOpen represents the X-Download-Options No Open option.
func (XDownloadOptions) Empty ¶ added in v0.7.0
func (xdo XDownloadOptions) Empty() bool
Empty returns whether the X-Download-Options is empty.
func (XDownloadOptions) Header ¶ added in v0.6.0
func (xdo XDownloadOptions) Header(w http.ResponseWriter)
Header adds the X-Download-Options HTTP security header to the given http.ResponseWriter.
func (XDownloadOptions) String ¶ added in v0.6.0
func (xdo XDownloadOptions) String() string
type XFrameOptions ¶
type XFrameOptions string
XFrameOptions represents the X-Frame-Options HTTP security header.
const ( XFrameOptionsDeny XFrameOptions = "DENY" XFrameOptionsSameOrigin XFrameOptions = "SAMEORIGIN" )
X-Frame-Options options.
func (XFrameOptions) Empty ¶ added in v0.7.0
func (xfo XFrameOptions) Empty() bool
Empty returns whether the X-Frame-Options is empty.
func (XFrameOptions) Header ¶
func (xfo XFrameOptions) Header(w http.ResponseWriter)
Header adds the X-Frame-Options HTTP header to the given http.ResponseWriter.
func (XFrameOptions) String ¶
func (xfo XFrameOptions) String() string
type XPermittedCrossDomainPolicies ¶
type XPermittedCrossDomainPolicies string
XPermittedCrossDomainPolicies represents the X-Permitted-Cross-Domain-Policies HTTP security header.
const ( PermittedCrossDomainPoliciesNone XPermittedCrossDomainPolicies = "none" PermittedCrossDomainPoliciesMasterOnly XPermittedCrossDomainPolicies = "master-only" PermittedCrossDomainPoliciesByContentType XPermittedCrossDomainPolicies = "by-content-type" PermittedCrossDomainPoliciesByFTPFilename XPermittedCrossDomainPolicies = "by-ftp-filename" PermittedCrossDomainPoliciesAll XPermittedCrossDomainPolicies = "all" )
X-Permitted-Cross-Domain-Policies options.
func (XPermittedCrossDomainPolicies) Empty ¶ added in v0.7.0
func (cdp XPermittedCrossDomainPolicies) Empty() bool
Empty returns whether the X-Permitted-Cross-Domain-Policies is empty.
func (XPermittedCrossDomainPolicies) Header ¶
func (cdp XPermittedCrossDomainPolicies) Header(w http.ResponseWriter)
Header adds the X-DNS-Prefetch-Control HTTP security header to the given http.ResponseWriter.
func (XPermittedCrossDomainPolicies) String ¶
func (cdp XPermittedCrossDomainPolicies) String() string
type XPoweredBy ¶
XPoweredBy represents the X-Powered-By HTTP security header.
func EmptyXPoweredBy ¶
func EmptyXPoweredBy() *XPoweredBy
EmptyXPoweredBy creates a blank slate XPoweredBy.
func NewXPoweredBy ¶
func NewXPoweredBy(hide bool, replacement string) *XPoweredBy
NewXPoweredBy creates a new XPoweredBy.
func (XPoweredBy) Empty ¶ added in v0.7.0
func (xpb XPoweredBy) Empty() bool
Empty returns whether the X-Powered-By is empty.
func (XPoweredBy) Header ¶
func (xpb XPoweredBy) Header(w http.ResponseWriter)
Header adds the X-Powered-By HTTP security header to the given http.ResponseWriter.
type XXSSProtection ¶ added in v0.7.0
type XXSSProtection struct {
XSSFiltering bool
Mode XXSSProtectionDirective
ReportURI string
// contains filtered or unexported fields
}
XXSSProtection represents the X-XSS-Protection HTTP security header.
func EmptyXXSSProtection ¶ added in v0.7.0
func EmptyXXSSProtection() *XXSSProtection
EmptyXXSSProtection creates a blank slate X-XSS-Protection.
func NewXXSSProtection ¶ added in v0.7.0
func NewXXSSProtection(xssFiltering bool, mode XXSSProtectionDirective, reportURI string) *XXSSProtection
NewXXSSProtection creates a new X-XSS-Protection.
func (*XXSSProtection) Empty ¶ added in v0.7.0
func (xssp *XXSSProtection) Empty() bool
Empty returns whether the X-XSS-Protection is empty.
func (*XXSSProtection) Header ¶ added in v0.7.0
func (xssp *XXSSProtection) Header(w http.ResponseWriter)
Header adds the X-XSS-Protection HTTP security header to the given http.ResponseWriter.
func (*XXSSProtection) String ¶ added in v0.7.0
func (xssp *XXSSProtection) String() string
type XXSSProtectionDirective ¶ added in v0.7.0
type XXSSProtectionDirective string
XXSSProtectionDirective represents an X-XSS-Protection directive.
const DirectiveModeBlock XXSSProtectionDirective = "mode=block"
DirectiveModeBlock is the X-XSS-Protection mode=block directive.
func XXSSProtectionDirectiveReportURI ¶ added in v0.7.0
func XXSSProtectionDirectiveReportURI(reportURI string) XXSSProtectionDirective
XXSSProtectionDirectiveReportURI is the X-XSS-Protection ReportURI directive.
func XXSSProtectionDirectiveXSSFiltering ¶ added in v0.7.0
func XXSSProtectionDirectiveXSSFiltering(xssFiltering bool) XXSSProtectionDirective
XXSSProtectionDirectiveXSSFiltering is the X-XSS-Protection XSSFiltering directive.
Source Files
Directories