Home

Awesome

Secure (This is a community driven project)

Secure middleware for hertz framework.

This repo is forked from secure and adapted for hertz.

Install

go get github.com/hertz-contrib/secure

Custom example

User passed in custom configuration items

Function Signature

func New(opts ...Option) app.HandlerFunc

Sample Code

package main

import (
	"context"

	"github.com/cloudwego/hertz/pkg/app"
	"github.com/cloudwego/hertz/pkg/app/server"
	"github.com/hertz-contrib/secure"
)

func main() {
	h := server.Default(
		server.WithHostPorts("127.0.0.1:8080"),
	)
	h.Use(secure.New(
		secure.WithAllowedHosts([]string{"example.com", "ssl.example.com"}),
		secure.WithSSLHost("ssl.example.com"),
	))

	h.GET("/ping", func(c context.Context, ctx *app.RequestContext) {
		ctx.String(200, "pong")
	})
	h.Spin()
}

Default Configuration

    config:
	options{
	    sslRedirect:           true,
	    isDevelopment:         false,
	    stsSeconds:            315360000,
	    frameDeny:             true,
	    contentTypeNosniff:    true,
	    browserXssFilter:      true,
	    contentSecurityPolicy: "default-src 'self'",
	    ieNoOpen:              true,
	    sslProxyHeaders:       map[string]string{"X-Forwarded-Proto": "https"},
       },

Option

optionsParametersvalueDescription
WithSSLRedirectbooltrueIf WithSSLRedirect is set to true, then only allow https requests
WithIsDevelopmentboolfalseWhen true, the whole security policy applied by the middleware is disabled completely.
WithSTSSecondint64315360000Default is 315360000, which would NOT include the header.
WithSTSIncludeSubdomainsboolfalseIf WithSTSIncludeSubdomains is set to true, the includeSubdomains will be appended to the Strict-Transport-Security header. Default is false.
WithFrameDenyboolfalseIf WithFrameDeny is set to true, adds the X-Frame-Options header with the value of DENY. Default is false
WithContentTypeNosniffboolfalseIf WithContentTypeNosniff is true, adds the X-Content-Type-Options header with the value nosniff. Default is false.
WithBrowserXssFilterboolfalseIf WithBrowserXssFilter is true, adds the X-XSS-Protection header with the value 1; mode=block. Default is false.
WithContentSecurityPolicy[]string""WithContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value. Default is "".
WithIENoOpenboolfalsePrevent Internet Explorer from executing downloads in your site’s context
WithSSLProxyHeadersmap[string]string"X-Forwarded-Proto": "https"This is useful when your app is running behind a secure proxy that forwards requests to your app over http (such as on Heroku).
WithAllowedHosts[]stringnilWithAllowedHosts is a list of fully qualified domain names that are allowed.Default is empty list, which allows any and all host names.
WithSSLTemporaryRedirectboolfalseIf WithSSLTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301).
WithSSLHoststring""WithSSLHost is the host name that is used to redirect http requests to https. Default is "", which indicates to use the same host.
WithCustomFrameOptionsValuestringnilWithCustomFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This overrides the FrameDeny option.
WithReferrerPolicystringnilHTTP header "Referrer-Policy" governs which referrer information, sent in the Referrer header, should be included with requests made.
WithBadHostHandlerapp.HandlerFuncnilHandlers for when an error occurs (ie bad host).
WithFeaturePolicystringnilFeature Policy is a new header that allows a site to control which features and APIs can be used in the browser.
WithDontRedirectIPV4HostnamesboolfalseIf WithDontRedirectIPV4Hostnames is true, requests to hostnames that are IPV4 addresses aren't redirected. This is to allow load balancer health checks to succeed.

License

This project is under Apache License. See the LICENSE file for the full license text.