Füge Security-Header hinzu

Das 'unsafe-inline' in der Content-Security-Policy wäre lieber nicht da,
aber dazu müsste man erst die Templates umbauen.
This commit is contained in:
Gonne 2023-01-04 12:35:24 +01:00
parent 329af2cf54
commit 8603087ed5
5 changed files with 15 additions and 0 deletions

View file

@ -38,6 +38,7 @@ type maskData struct {
// Offer a form to add office hours and validate its input on receiving. // Offer a form to add office hours and validate its input on receiving.
func (b *BaseHandler) AddOfficeHourHandler(w http.ResponseWriter, req *http.Request) { func (b *BaseHandler) AddOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
var errors []string var errors []string
courses, err := b.courseRepo.GetAll() courses, err := b.courseRepo.GetAll()
if err != nil { if err != nil {

View file

@ -1,6 +1,7 @@
package controllers package controllers
import ( import (
"net/http"
"officeHours/config" "officeHours/config"
"officeHours/models" "officeHours/models"
) )
@ -24,3 +25,11 @@ func NewBaseHandler(roomRepo models.RoomRepository,
config config.Config) *BaseHandler { config config.Config) *BaseHandler {
return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config} return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config}
} }
func SendSecurityHeaders(w http.ResponseWriter, req *http.Request) {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Referrer-Policy", "same-origin")
w.Header().Set("X-XSS-Protection", "1; mode=block")
}

View file

@ -9,6 +9,7 @@ import (
// Check the secret token for requests and execute the request for correct tokens // Check the secret token for requests and execute the request for correct tokens
func (b *BaseHandler) ConfirmRequestHandler(w http.ResponseWriter, req *http.Request) { func (b *BaseHandler) ConfirmRequestHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
secret := req.FormValue("code") secret := req.FormValue("code")
request, err := b.requestRepo.FindBySecret(secret) request, err := b.requestRepo.FindBySecret(secret)

View file

@ -14,6 +14,7 @@ import (
// verify the corresponding mail address and // verify the corresponding mail address and
// then send a confirmation mail. // then send a confirmation mail.
func (b *BaseHandler) DeleteOfficeHourHandler(w http.ResponseWriter, req *http.Request) { func (b *BaseHandler) DeleteOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
if req.FormValue("id") != "" { if req.FormValue("id") != "" {
id, err := strconv.Atoi(req.FormValue("id")) id, err := strconv.Atoi(req.FormValue("id"))
if err != nil { if err != nil {

View file

@ -10,10 +10,12 @@ import (
) )
func (b *BaseHandler) RootHandler(w http.ResponseWriter, req *http.Request) { func (b *BaseHandler) RootHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
b.writeTimetablePage(w, req, template.HTML("")) b.writeTimetablePage(w, req, template.HTML(""))
} }
func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) { func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
roomId, _ := strconv.Atoi(req.FormValue("raum")) roomId, _ := strconv.Atoi(req.FormValue("raum"))
room, err := b.roomRepo.FindById(roomId) room, err := b.roomRepo.FindById(roomId)
if err != nil { if err != nil {
@ -29,6 +31,7 @@ func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request)
} }
func (b *BaseHandler) GetByCourseHandler(w http.ResponseWriter, req *http.Request) { func (b *BaseHandler) GetByCourseHandler(w http.ResponseWriter, req *http.Request) {
SendSecurityHeaders(w, req)
courseid, err := strconv.Atoi(req.FormValue("veranstaltung")) courseid, err := strconv.Atoi(req.FormValue("veranstaltung"))
if err != nil { if err != nil {
b.RootHandler(w, req) b.RootHandler(w, req)