unrolled / secure Goto Github PK
View Code? Open in Web Editor NEWHTTP middleware for Go that facilitates some quick security wins.
License: MIT License
HTTP middleware for Go that facilitates some quick security wins.
License: MIT License
When SSL is enabled the Location response header is not replaced to HTTPS, causing an unnecessary redirect.
Could you add an example for the chi library? Thanks.
我把gin代码示例里的端口改成443端口,然后访问不了,说找不到网页。
Hello,
I am proxied behind Cloudflare. I Set SSLHost to a number of variations of "https://url.example.co.uk", "https://url.example.co.uk/", "url.example.co.uk", but I keep getting "bad host" at my staging environment.
I should note that my dev environment is working fine, but that's because I've set the IsDevelopment param to true.
I don't think I had this issue before proxying via CloudFlare, so now I am wondering whether that may have caused it. I have also passed all URLs of my project to "AllowedHosts", so technically that should work.
I am slightly lost and was wondering whether you may be able to offer some help. Thanks!
HPKP
was to be replaced by the reactive Certificate Transparency framework coupled with the Expect-CT
header but as of today, the Expect-CT
header is obsolete.
Chrome requires Certificate Transparency for all publicly trusted certificates issued after April 30, 2018. View ref
Hello, I am trying to access the generated NONCE using Gin:
nonce := secure.CSPNonce(c.Request.Context())
This always returns an empty string, even tho the nonce appears on the request headers, digging the code I see the nonce beeing added to the request context (I am using the example on the README), but I cant seem to get it properly, here is a more complete example:
func Home(c *gin.Context) {
c.HTML(http.StatusOK, "home.html", gin.H{
"nonce": secure.CSPNonce(c.Request.Context()),
})
}
func secureFunc(config *app.Config) gin.HandlerFunc {
// Create secure middleware
secureMiddleware := secure.New(secure.Options{
FrameDeny: true,
BrowserXssFilter: true,
ReferrerPolicy: "no-referrer",
ContentTypeNosniff: true,
AllowedHostsAreRegex: false,
SSLRedirect: !config.DebugMode,
SSLTemporaryRedirect: false,
STSSeconds: 31536000,
ContentSecurityPolicy: fmt.Sprintf(
"script-src %s",
"'self' $NONCE",
),
IsDevelopment: config.DebugMode,
})
return func(c *gin.Context) {
if err := secureMiddleware.Process(c.Writer, c.Request); err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
// Avoid header rewrite if response is a redirection
if status := c.Writer.Status(); status > 300 && status < 399 {
c.Abort()
}
}
}
Clearly the nonceEnabled
should be true (https://github.com/unrolled/secure/blob/v1/secure.go#L248) but the value is not there, I am missing something?
Any ideas?
Thanks
Hi, I am seeking to redirect from HTTP to HTTPS, usually the browser may complain that mix-content after redirecting since the original page contains some static http link. Then I saw "Content-Security-Policy: upgrade-insecure-requests" could help from this article.
From the example in this README, I saw it could do the redirection and also there is CSP option, but when I try it out, it can work with redirection but there is no CSP option seen in the http header, what is wrong?
Thanks
Becuase the context key:
https://github.com/unrolled/secure/blob/v1/secure.go#L30
Is static, it does not allow for multiple secure instances to act in series, as the second will overwrite the key from the first.
@unrolled, Do you have any qualms with me implementing an overrideable context key to allow chaining instances?
The issue we are encountering is we want to define an instance to configure just https redirection, and then another instance just to handle csp etc, and be more modular.
This doesn't work currently, and we would like to make it work.
As defined in https://www.w3.org/TR/permissions-policy-1/
secureMiddleware := secure.New(secure.Options{
FrameDeny: true,
})
e := echo.New()
e.Use(secureMiddleware.Handler)
cannot use secureMiddleware.Handler (type func(http.Handler) http.Handler) as type echo.MiddlewareFunc in argument to e.Use
Please add support for the Expect-CT header. This header allows site admins to get reports from browsers if a received certificated doesn't contain valid Certificate Transparency information. Since CT is now required by all modern browsers this can help admins detect some misconfigurations.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
https://scotthelme.co.uk/a-new-security-header-expect-ct/
The header is already checked (but not scored) by securityheaders.io.
is will support this?
This is the error report: verifying github.com/unrolled/[email protected]: github.com/unrolled/[email protected]: reading https://goproxy.io/sumdb/sum.golang.org/lookup/github.com/unrolled/[email protected]: 410 Gone
Hello,
Not entirely an issues, but rather a question of use. Could I use this library to strengthen security of access for a publicly facing REST API microservice?
Also, once implemented, is there is a way to validate options manually that they are enabled and properly functioning?
Regards,
Max
A proxy like Apache transmits certain information over headers when in a reverse proxy configuration [1]. Currently, this repo supports the use of custom headers for detecting when SSL is enabled, via the SSLProxyHeaders
option, but this functionality is not present for the AllowedHosts
option.
I'm planning to submit a PR for this shortly.
[1] https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers
I'm currently trying to implement the new (and awesome) dynamic CSP nonce feature to work, but I think I'm doing something wrong.
I created a secure.Options struct with the following params:
secureMiddlewareOptions := secure.Options{ ContentSecurityPolicy: "script-src $NONCE", }
I then add the created middleware to my main negroni route:
secureMiddleware := secure.New(secureMiddlewareOptions) n.Use(negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext))
The Content-Security-Policy
header is added correctly, and the $NONCE is replaced. But instead of replacing it with a random CSP "string" nothing is added. The result looks like this:
Content-Security-Policy:script-src 'nonce-'
.
Did I overlook something? Thanks for your help.
I'm trying to use unrolled secure for CSP support, but I'm finding the static configuration a little inflexible when trying to configure for websockets. Would there be interest in a new configuration option to support websockets in the connect-src option that was slightly more dynamic?
for websockets the policy looks like connect-src wss://theserver
. Since the configuration is statically configured at middleware construction time, and it's hard to know what IP the server is actually serving from until runtime; especially with reverse proxys and containers, etc, this makes it hard to achieve with the current middleware.
Options:
Would there be interest in take a PR which implemented something like option 2? or should I just go with something like option 1?
Thanks for writing a very useful middleware!
Content Security policies can be a long and complex string. Is it worth creating a simple function/struct/builder to make constructing these easier, and in a less error prone way? Something like:
secure.Options{
ContentSecurityPolicy: secure.ContentSecurityPolicy{
DefaultSrc: ["self"],
ScriptSrc: ["self", "www.google-analytics.com"]
}
}
Hello, am a graphic designer. Will you be interested in me contributing a logo to your repo project? I would make it for you free, that's if you are interested.
Can we have an Option to pass a function that if set, assigns the allowedHosts list to the list returned by such a function?
ex.
in secure.go
// AllowedHostsFunc a custom function type that returns a list of strings used in place of AllowedHosts list
type AllowedHostsFunc func() []string
...
type Options struct {
...
AllowedHostsFunc AllowedHostsFunc
...
}
...
// Allowed hosts check.
if s.opt.AllowedHostsFunc != nil {
s.opt.AllowedHosts = s.opt.AllowedHostsFunc()
}
if len(s.opt.AllowedHosts) > 0 && !s.opt.IsDevelopment {
...
I wrote some tests and seems to satisfy what I need, which is dynamically fetching cached hosts list
Hello,
Here is the issue I am encountering:
We have a request that is passed to secure that has been modified by other middleware. The path has been modified, and therefore when passed to secure, the incorrect response is generated.
The solution as far as I see it, is to "unmodify" the path, pass the request to secure, then "remodify" the path after secure has processed the request, but before it passes to next
. The issue I am encountering with secure is that processRequest
is not exported, and therefore cannot be used by my package.
I am essentially trying to write my own HandlerFuncForRequestOnly
(https://github.com/unrolled/secure/blob/v1/secure.go#L183).
Do you think that processRequest
could be exported?
Or do you think that we could have a mirrored ProcessNoModifyRequest
similar to Process
that returns the responseHeaders? something like this:
// ProcessNoModifyRequest runs the actual checks but does not write the headers in the ResponseWriter.
func (s *Secure) ProcessNoModifyRequest(w http.ResponseWriter, r *http.Request) (http.Header, error) {
return s.processRequest(w, r)
}
Thoughts?
Hello there
i have a problem with SSLRedirect
, the problem is that i only serve a TLS instance with
http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", n)
and no plain istance.
Visiting localhost:8443
it doesn't redirect me to https://localhost:8443
And in console i get
2017/10/18 17:27:13 http: TLS handshake error from [::1]:39118: tls: first record does not look like a TLS handshake
There is another solution instead of starting a plain instance?
Using this code to set up our secure:
securer := secure.Secure(secure.Options{
SSLRedirect: strings.ToLower(os.Getenv("FORCE_SSL")) == "true",
SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"},
STSSeconds: 315360000,
STSIncludeSubdomains: true,
FrameDeny: true,
ContentTypeNosniff: true,
BrowserXssFilter: true,
})
Always getting 500 errors on HEAD requests to http://[website] when it tries to redirect to https. Is this a known issue? Is there some configuration to get around this? Thanks!
The "Referrer-Policy" header is recently introduced and adds support for global restrictions on referrer leakage. It would probably be useful to add support for it here! It's recently been added to the https://securityheaders.io testing website, with a corresponding blog post [1]. Is this something you would be open to?
[1] https://scotthelme.co.uk/a-new-security-header-referrer-policy/
Hi
Great work. Thanks for this awesome middleware.
Can I send a PR for adding dynamic CSP nonce?
Proposed Implementation would extend the current solution without breaking anything
Now
ContentSecurityPolicy: "script-src 'self'"
Proposed Solution
ContentSecurityPolicy: "script-src 'self' {{ . }}"
Will use Go's template/text
package to change this to to a fmt
string i.e. script-src 'self' 'nonce-%s'
then use this to send headers on every request with a unique nonce for each request.
Add a new Nonce(r *http.Request)
function globally to get the nonce for the present request which can be later used to add nonce to scripts like,
<script nonce="2726c7f26c"> var inline = 1; </script>
There can also a nonce length property.
Thanks for maintaining this package.
Any chance we can get a release tag for 2021? I'm trying to implement the PermissionsPolicy
header but it is still called FeaturePolicy
in v1.0.8
.
Hi, I used your redirecting example and I am interested in knowing if it is SAFE to add more headers to secureMiddleware
of your example or not? I am very new to security in Go. The thing is that your approach shows that we create one secureMiddleware
and pass it to ListenAndServe
go routine as well as ListenAndServeTLS
.
What if, I do the same thing but add more header to that secureMiddleware
? Is this a possibility that hackers somehow get to understand that we are redirected from http
to https
and therefore we can get into the http version of the server (because I am passing the main gorilla router to ListenAndServe
). Does something like this happen?
And what about future links we visit on the site after first redirection? ListenAndServe
was used only once when we typed url without https
(I am on development right now). I still want to confirm as I am not sure.
Below is my current main function for your reference:
func main() {
// HTTPS certificate files
certPath := "server.pem"
keyPath := "server.key"
// secure middleware
secureMiddleware := secure.New(secure.Options{
AllowedHosts: []string{"localhost"},
HostsProxyHeaders: []string{"X-Forwarded-Host"},
SSLRedirect: true,
SSLHost: "localhost:443",
SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"},
STSSeconds: 63072000,
STSIncludeSubdomains: true,
STSPreload: true,
ForceSTSHeader: false,
FrameDeny: true,
ContentTypeNosniff: true,
BrowserXssFilter: true,
// I need to change it as Content-Security-Policy: default-src 'self' *.trusted.com if I want to load images from S3 bucket (See - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
// ContentSecurityPolicy: "default-src 'self'",
PublicKey: `pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubdomains; report-uri="https://www.example.com/hpkp-report"`,
ReferrerPolicy: "same-origin",
// IsDevelopment: true,
})
// Setting up logging files in append mode
common.SetupLogging()
common.Log.Info("On line 35 certPath and keyPath")
// Setting up mongodb
mongodb, err := datastore.NewDatastore(datastore.MONGODB, "localhost:27017")
if err != nil {
common.Log.Warn(err.Error())
}
defer mongodb.Close()
// Passing mongodb to environment variable
env := common.Env{DB: mongodb}
common.Log.Info("On line 44")
// Router and routes
r := mux.NewRouter()
r.Handle("/", handlers.Handler{E: &env, H: handlers.Index}).Methods("GET")
// Middleware and server
commonMiddleware := handlers.RecoveryHandler(handlers.PrintRecoveryStack(true))(gh.CombinedLoggingHandler(common.TrafficLog, secureMiddleware.Handler(r)))
common.Log.Info("On line 49")
sTLS := &http.Server{
Addr: ":443",
Handler: commonMiddleware,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
}
common.Log.Info("Serving...")
go func() {
log.Fatal(http.ListenAndServe(":80", commonMiddleware))
}()
log.Fatal(sTLS.ListenAndServeTLS(certPath, keyPath))
}
Or, should we have one secureMiddleware
and one redirectMiddleware
; the redirectMiddleware
will be exactly like the one in your HTTP to HTTPS redirection example in readme. And, pass this redirectMiddleware
to ListenAndServe
with the main router (in my case r
).
Please clarify. And, if we can use same secureMiddleware
then I would prefer we add comments stating something like "// you can have more headers here" in the secureMiddleware
of redirection example.
hi
we have health check on server which check the server for uptime,
but with forced https, it causes issue.
anyway to allow ignore redirect if either X-Forwarded-Proto is empty or not set
or AllowedHosts is not in the list?
In my opinion, the if clause for the host check should rather be implemented with a regular expression, since e.g. wildcards are often used to allow subdomains.
What's your point of view on this issue? Should I open a pull request?
The commit 624f918
Avoids an extra redirect by modifying the scheme on the location response header.
However, it does not check that the location referred to in the header is SSLHost
.
In effect, it rewrites all location responses to https, even if the proxy implementing unrolled/secure
is not handling the domain.
It prevents redirecting to third party http URLs.
The modification should also not rewrite the scheme if there is a port defined in the response header.
Related issue: traefik/traefik#5807
PR Incoming
According to the README one should use secure with Gin using the Process
function. However it doesn't implement the nonce generation like the Handler
function.
Should I use one of the Handler functions? If so, how?
The following are valid values for the X-XSS-Protection
header:
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
Setting BrowserXssFilter
to true gives the header the value 1; mode=block
, but does not allow for setting it as 1
or 1; report=<reporting-uri>
.
It would be nice if there is the possibility of setting it to these values: 1
or 1; report=<reporting-uri>
.
Forcing HTTPS on all subdomains for 10 years is a dangerous to show on the first example. There should probably be some kind of warning about HSTS - that once you add them and user's browsers accept them, they can't be removed. If this Go server is handling all subdomains, then it'll probably be fine, but many people will have CNAMEs pointing elsewhere for various hosted services, etc.
When s.processRequest returns an error, newR is nil, and newR.Context()
panics
Lines 252 to 255 in ab726b2
Worth adding support for Access-Control-Allow-Origin headers? Perhaps even reusing the AllowedHost list?
I noticed that in the docs, the value of HSTS is 315360000
seconds which equals to 10 years. In most implementations that I have seen it's just 31536000
which is 1 year. Is this a typo? I can do a quick PR for a fix if needed.
Hi @unrolled, as per your suggestion I've put up an alternative CSP middleware that allows dynamic host configuration for the CSP headers. You can find it here:
https://github.com/awakenetworks/csp
Hopefully others with complex CSP requirements will find it useful.
go.mod
refers to github.com/codegangsta/negroni
, but the repo is now named github.com/urfave/negroni
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.