2015-10-04 23:58:00 +02:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2015-10-05 00:18:22 +02:00
|
|
|
cspHeader = "Content-Security-Policy"
|
|
|
|
frameOptionsHeader = "X-Frame-Options"
|
|
|
|
contentTypeOptionsHeader = "X-Content-Type-Options"
|
2015-10-04 23:58:00 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type csp struct {
|
|
|
|
h http.Handler
|
|
|
|
opts CSPOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
type CSPOptions struct {
|
|
|
|
policy string
|
|
|
|
frame string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// only add a CSP if one is not already set
|
|
|
|
if existing := w.Header().Get(cspHeader); existing == "" {
|
|
|
|
w.Header().Add(cspHeader, c.opts.policy)
|
|
|
|
}
|
|
|
|
|
|
|
|
w.Header().Set(frameOptionsHeader, c.opts.frame)
|
2015-10-05 00:18:22 +02:00
|
|
|
w.Header().Set(contentTypeOptionsHeader, "nosniff")
|
2015-10-04 23:58:00 +02:00
|
|
|
|
|
|
|
c.h.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func ContentSecurityPolicy(o CSPOptions) func(http.Handler) http.Handler {
|
|
|
|
fn := func(h http.Handler) http.Handler {
|
|
|
|
return csp{h, o}
|
|
|
|
}
|
|
|
|
return fn
|
|
|
|
}
|
|
|
|
|
|
|
|
// vim:set ts=8 sw=8 noet:
|