Füge Security-Header hinzu

Das 'unsafe-inline' in der Content-Security-Policy wäre lieber nicht da, aber dazu müsste man erst die Templates umbauen.
1 month ago · 8603087ed5
parent 329af2cf54
commit 8603087ed5
5 changed files with 15 additions and 0 deletions
--- a/controllers/addOfficeHourHandler.go
+++ b/controllers/addOfficeHourHandler.go
@ -38,6 +38,7 @@ type maskData struct {

 // Offer a form to add office hours and validate its input on receiving.
 func (b *BaseHandler) AddOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
+	SendSecurityHeaders(w, req)
 	var errors []string
 	courses, err := b.courseRepo.GetAll()
 	if err != nil {
--- a/controllers/baseHandler.go
+++ b/controllers/baseHandler.go
@ -1,6 +1,7 @@
 package controllers

 import (
+	"net/http"
 	"officeHours/config"
 	"officeHours/models"
 )
@ -24,3 +25,11 @@ func NewBaseHandler(roomRepo models.RoomRepository,
 	config config.Config) *BaseHandler {
 	return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config}
 }
+
+func SendSecurityHeaders(w http.ResponseWriter, req *http.Request) {
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Referrer-Policy", "same-origin")
+	w.Header().Set("X-XSS-Protection", "1; mode=block")
+}
--- a/controllers/confirmRequestHandler.go
+++ b/controllers/confirmRequestHandler.go
@ -9,6 +9,7 @@ import (

 // Check the secret token for requests and execute the request for correct tokens
 func (b *BaseHandler) ConfirmRequestHandler(w http.ResponseWriter, req *http.Request) {
+	SendSecurityHeaders(w, req)
 	secret := req.FormValue("code")
 	request, err := b.requestRepo.FindBySecret(secret)

--- a/controllers/deleteOfficeHourHandler.go
+++ b/controllers/deleteOfficeHourHandler.go
@ -14,6 +14,7 @@ import (
 // verify the corresponding mail address and
 // then send a confirmation mail.
 func (b *BaseHandler) DeleteOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
+	SendSecurityHeaders(w, req)
 	if req.FormValue("id") != "" {
 		id, err := strconv.Atoi(req.FormValue("id"))
 		if err != nil {
--- a/controllers/getHandlers.go
+++ b/controllers/getHandlers.go
@ -10,10 +10,12 @@ import (
 )

 func (b *BaseHandler) RootHandler(w http.ResponseWriter, req *http.Request) {
+	SendSecurityHeaders(w, req)
 	b.writeTimetablePage(w, req, template.HTML(""))
 }

 func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) {
+	SendSecurityHeaders(w, req)
 	roomId, _ := strconv.Atoi(req.FormValue("raum"))
 	room, err := b.roomRepo.FindById(roomId)
 	if err != nil {
@ -29,6 +31,7 @@ func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request)
 }

 func (b *BaseHandler) GetByCourseHandler(w http.ResponseWriter, req *http.Request) {
+	SendSecurityHeaders(w, req)
 	courseid, err := strconv.Atoi(req.FormValue("veranstaltung"))
 	if err != nil {
 		b.RootHandler(w, req)