Füge Security-Header hinzu
Das 'unsafe-inline' in der Content-Security-Policy wäre lieber nicht da, aber dazu müsste man erst die Templates umbauen.
This commit is contained in:
parent
329af2cf54
commit
8603087ed5
5 changed files with 15 additions and 0 deletions
|
|
@ -38,6 +38,7 @@ type maskData struct {
|
|||
|
||||
// Offer a form to add office hours and validate its input on receiving.
|
||||
func (b *BaseHandler) AddOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
|
||||
SendSecurityHeaders(w, req)
|
||||
var errors []string
|
||||
courses, err := b.courseRepo.GetAll()
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package controllers
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"officeHours/config"
|
||||
"officeHours/models"
|
||||
)
|
||||
|
|
@ -24,3 +25,11 @@ func NewBaseHandler(roomRepo models.RoomRepository,
|
|||
config config.Config) *BaseHandler {
|
||||
return &BaseHandler{roomRepo, officeHourRepo, courseRepo, tutorRepo, requestRepo, config}
|
||||
}
|
||||
|
||||
func SendSecurityHeaders(w http.ResponseWriter, req *http.Request) {
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("Referrer-Policy", "same-origin")
|
||||
w.Header().Set("X-XSS-Protection", "1; mode=block")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
|
||||
// Check the secret token for requests and execute the request for correct tokens
|
||||
func (b *BaseHandler) ConfirmRequestHandler(w http.ResponseWriter, req *http.Request) {
|
||||
SendSecurityHeaders(w, req)
|
||||
secret := req.FormValue("code")
|
||||
request, err := b.requestRepo.FindBySecret(secret)
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import (
|
|||
// verify the corresponding mail address and
|
||||
// then send a confirmation mail.
|
||||
func (b *BaseHandler) DeleteOfficeHourHandler(w http.ResponseWriter, req *http.Request) {
|
||||
SendSecurityHeaders(w, req)
|
||||
if req.FormValue("id") != "" {
|
||||
id, err := strconv.Atoi(req.FormValue("id"))
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -10,10 +10,12 @@ import (
|
|||
)
|
||||
|
||||
func (b *BaseHandler) RootHandler(w http.ResponseWriter, req *http.Request) {
|
||||
SendSecurityHeaders(w, req)
|
||||
b.writeTimetablePage(w, req, template.HTML(""))
|
||||
}
|
||||
|
||||
func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request) {
|
||||
SendSecurityHeaders(w, req)
|
||||
roomId, _ := strconv.Atoi(req.FormValue("raum"))
|
||||
room, err := b.roomRepo.FindById(roomId)
|
||||
if err != nil {
|
||||
|
|
@ -29,6 +31,7 @@ func (b *BaseHandler) GetByRoomHandler(w http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (b *BaseHandler) GetByCourseHandler(w http.ResponseWriter, req *http.Request) {
|
||||
SendSecurityHeaders(w, req)
|
||||
courseid, err := strconv.Atoi(req.FormValue("veranstaltung"))
|
||||
if err != nil {
|
||||
b.RootHandler(w, req)
|
||||
|
|
|
|||
Loading…
Reference in a new issue