Füge Security-Header hinzu

Das 'unsafe-inline' in der Content-Security-Policy wäre lieber nicht da, aber dazu müsste man erst die Templates umbauen.
2023-01-04 12:35:24 +01:00 · 2023-01-04 12:35:24 +01:00 · 8603087ed5
commit 8603087ed5
parent 329af2cf54
5 changed files with 15 additions and 0 deletions
--- a/controllers/baseHandler.go
+++ b/controllers/baseHandler.go
@ -1,6 +1,7 @@
 package controllers

 import (
+	"net/http"
 	"officeHours/config"
 	"officeHours/models"
 )
@ -24,3 +25,11 @@ func NewBaseHandler(roomRepo models.RoomRepository,
 	config config.Config) *BaseHandler {
 	return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config}
 }
+
+func SendSecurityHeaders(w http.ResponseWriter, req *http.Request) {
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Referrer-Policy", "same-origin")
+	w.Header().Set("X-XSS-Protection", "1; mode=block")
+}