Füge Security-Header hinzu

Das 'unsafe-inline' in der Content-Security-Policy wäre lieber nicht da,
aber dazu müsste man erst die Templates umbauen.
main
Gonne 1 month ago
parent 329af2cf54
commit 8603087ed5

@ -38,6 +38,7 @@ type maskData struct {
// Offer a form to add office hours and validate its input on receiving.
func (b *BaseHandler) AddOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
var errors []string
courses, err := b.courseRepo.GetAll()
if err != nil {

@ -1,6 +1,7 @@
package controllers
import (
"net/http"
"officeHours/config"
"officeHours/models"
)
@ -24,3 +25,11 @@ func NewBaseHandler(roomRepo models.RoomRepository,
config config.Config) *BaseHandler {
return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config}
}
func SendSecurityHeaders(w http.ResponseWriter, req *http.Request) {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Referrer-Policy", "same-origin")
w.Header().Set("X-XSS-Protection", "1; mode=block")
}

@ -9,6 +9,7 @@ import (
// Check the secret token for requests and execute the request for correct tokens
func (b *BaseHandler) ConfirmRequestHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
secret := req.FormValue("code")
request, err := b.requestRepo.FindBySecret(secret)

@ -14,6 +14,7 @@ import (
// verify the corresponding mail address and
// then send a confirmation mail.
func (b *BaseHandler) DeleteOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
if req.FormValue("id") != "" {
id, err := strconv.Atoi(req.FormValue("id"))
if err != nil {

@ -10,10 +10,12 @@ import (
)
func (b *BaseHandler) RootHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
b.writeTimetablePage(w, req, template.HTML(""))
}
func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
roomId, _ := strconv.Atoi(req.FormValue("raum"))
room, err := b.roomRepo.FindById(roomId)
if err != nil {
@ -29,6 +31,7 @@ func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request)
}
func (b *BaseHandler) GetByCourseHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
courseid, err := strconv.Atoi(req.FormValue("veranstaltung"))
if err != nil {
b.RootHandler(w, req)

Loading…
Cancel
Save