secure_headers

Documentation

Overview

Package secure_headers decorates an http.Handler and sets several key security headers

Index

• Variables
• func Decorate(settings Settings, delegate http.Handler) http.Handler
• type Settings

Examples

• Decorate

Variables

var DefaultSettings = Settings{
	CspOpts:                      csp.Opts{},
	ReportOpts:                   csp.Opts{},
	FrameOptions:                 "SAMEORIGIN",
	StrictTransportSecurity:      "max-age=31536000; includeSubDomains",
	ContentTypeOptions:           "nosniff",
	XSSProtection:                "1; mode=block",
	PermittedCrossDomainPolicies: "master-only",
}

Sane/safe defaults for the secure headers decorator. Content-Security-Policy is disabled by default as it is very restrictive.

Functions

func Decorate

func Decorate(settings Settings, delegate http.Handler) http.Handler

Example

var h http.Handler
h = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
h = Decorate(DefaultSettings, h) // Responses from h now include default security headers

Types

type Settings

type Settings struct {
	CspOpts    csp.Opts // Content-Security-Policy
	ReportOpts csp.Opts // Content-Security-Policy-Report-Only

	// Where can this site be embedded as an iframe
	FrameOptions string
	// Should user agents default to SSL
	StrictTransportSecurity string
	// Should IE guess mime types
	ContentTypeOptions string
	// Should IE run code that 'looks like' an XSS
	XSSProtection string
	// Specify which cross-domain policies flash can load
	PermittedCrossDomainPolicies string
}

Settings configures the headers a secure handler will add to a ResponseWriter