add some security HTTP headers (#5814)

This change adds some security headers like Content-Security-Policy. It does not set the HSTS header because Content-Security-Policy prevents mixed HTTP and HTTPS content and the server does not use cookies. However it is a header which could be added later on. It also moves some header added by #5805 from a vendored file to a generic handler. Fixes ##5813
2018-04-13 00:57:41 +02:00 · 2018-04-13 00:57:41 +02:00 · f60765ac93
parent 1f07545e2a
commit f60765ac93
3 changed files with 19 additions and 5 deletions
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@ -625,3 +625,19 @@ func (l rateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	l.handler.ServeHTTP(w, r)
 }
+
+type securityHeaderHandler struct {
+	handler http.Handler
+}
+
+func addSecurityHeaders(h http.Handler) http.Handler {
+	return securityHeaderHandler{handler: h}
+}
+
+func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	header := w.Header()
+	header.Set("X-XSS-Protection", "\"1; mode=block\"")              // Prevents against XSS attacks
+	header.Set("X-Frame-Options", "SAMEORIGIN")                      // Prevents against Clickjacking
+	header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
+	s.handler.ServeHTTP(w, r)
+}
--- a/cmd/routers.go
+++ b/cmd/routers.go
@ -59,6 +59,8 @@ func registerDistXLRouters(mux *router.Router, endpoints EndpointList) error {

 // List of some generic handlers which are applied for all incoming requests.
 var globalHandlers = []HandlerFunc{
+	// set HTTP security headers such as Content-Security-Policy.
+	addSecurityHeaders,
 	// Ratelimit the incoming requests using a token bucket algorithm
 	setRateLimitHandler,
 	// Validate all the incoming paths.
--- a/vendor/github.com/gorilla/rpc/v2/server.go
+++ b/vendor/github.com/gorilla/rpc/v2/server.go
@ -149,11 +149,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// Prevents Internet Explorer from MIME-sniffing a response away
 	// from the declared content-type
 	w.Header().Set("x-content-type-options", "nosniff")
-	// Prevents against XSS Atacks
-	w.Header().Set("X-XSS-Protection", "\"1; mode=block\"")
-	// Prevents against Clickjacking
-	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
-	
+
 	// Encode the response.
 	if errResult == nil {
 		codecReq.WriteResponse(w, reply.Interface())