diff --git a/controllers/addOfficeHourHandler.go b/controllers/addOfficeHourHandler.go index 0707abe..56289e7 100644 --- a/controllers/addOfficeHourHandler.go +++ b/controllers/addOfficeHourHandler.go @@ -38,6 +38,7 @@ type maskData struct { // Offer a form to add office hours and validate its input on receiving. func (b *BaseHandler) AddOfficeHourHandler(w http.ResponseWriter, req *http.Request) { + SendSecurityHeaders(w, req) var errors []string courses, err := b.courseRepo.GetAll() if err != nil { diff --git a/controllers/baseHandler.go b/controllers/baseHandler.go index 0ab921c..51d4d23 100644 --- a/controllers/baseHandler.go +++ b/controllers/baseHandler.go @@ -1,6 +1,7 @@ package controllers import ( + "net/http" "officeHours/config" "officeHours/models" ) @@ -24,3 +25,11 @@ func NewBaseHandler(roomRepo models.RoomRepository, config config.Config) *BaseHandler { return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config} } + +func SendSecurityHeaders(w http.ResponseWriter, req *http.Request) { + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'") + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("Referrer-Policy", "same-origin") + w.Header().Set("X-XSS-Protection", "1; mode=block") +} diff --git a/controllers/confirmRequestHandler.go b/controllers/confirmRequestHandler.go index ba5904a..d2659d4 100644 --- a/controllers/confirmRequestHandler.go +++ b/controllers/confirmRequestHandler.go @@ -9,6 +9,7 @@ import ( // Check the secret token for requests and execute the request for correct tokens func (b *BaseHandler) ConfirmRequestHandler(w http.ResponseWriter, req *http.Request) { + SendSecurityHeaders(w, req) secret := req.FormValue("code") request, err := b.requestRepo.FindBySecret(secret) diff --git a/controllers/deleteOfficeHourHandler.go b/controllers/deleteOfficeHourHandler.go index 036c36a..c1fd35b 100644 --- a/controllers/deleteOfficeHourHandler.go +++ b/controllers/deleteOfficeHourHandler.go @@ -14,6 +14,7 @@ import ( // verify the corresponding mail address and // then send a confirmation mail. func (b *BaseHandler) DeleteOfficeHourHandler(w http.ResponseWriter, req *http.Request) { + SendSecurityHeaders(w, req) if req.FormValue("id") != "" { id, err := strconv.Atoi(req.FormValue("id")) if err != nil { diff --git a/controllers/getHandlers.go b/controllers/getHandlers.go index 5bdc516..d173481 100644 --- a/controllers/getHandlers.go +++ b/controllers/getHandlers.go @@ -10,10 +10,12 @@ import ( ) func (b *BaseHandler) RootHandler(w http.ResponseWriter, req *http.Request) { + SendSecurityHeaders(w, req) b.writeTimetablePage(w, req, template.HTML("")) } func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) { + SendSecurityHeaders(w, req) roomId, _ := strconv.Atoi(req.FormValue("raum")) room, err := b.roomRepo.FindById(roomId) if err != nil { @@ -29,6 +31,7 @@ func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) } func (b *BaseHandler) GetByCourseHandler(w http.ResponseWriter, req *http.Request) { + SendSecurityHeaders(w, req) courseid, err := strconv.Atoi(req.FormValue("veranstaltung")) if err != nil { b.RootHandler(w, req)