secure

package
v2.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package secure provides secure utilities.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CSPPolicy 

func CSPPolicy(profile CSPProfile) string

CSPPolicy returns the named CSP policy string.

func RenderCSPTemplate 

func RenderCSPTemplate(template CSPTemplate, values CSPTemplateValues) string

RenderCSPTemplate renders a CSP template with the provided values.

Types

type CSPProfile 

type CSPProfile string

CSPProfile configures a named CSP policy. 

const (
	// CSPProfileAPI is a conservative CSP for API-only services.
	CSPProfileAPI CSPProfile = "api"
	// CSPProfileAPIDocs allows Swagger UI assets for API documentation.
	CSPProfileAPIDocs CSPProfile = "api-docs"
	// CSPProfileWebApp is a baseline CSP for browser-facing apps.
	CSPProfileWebApp CSPProfile = "web-app"
)

type CSPTemplate 

type CSPTemplate string

CSPTemplate defines a CSP template string with placeholders. 

const (
	// CSPTemplateWebApp is a baseline CSP template for browser apps.
	CSPTemplateWebApp CSPTemplate = "default-src 'self'; base-uri 'self'; object-src 'none'; " +
		"frame-ancestors 'none'; form-action 'self'; script-src 'self' {{nonce}} {{script-src}}; " +
		"style-src 'self' {{nonce}} {{style-src}}; img-src 'self' data: {{img-src}}; " +
		"connect-src 'self' {{connect-src}}; font-src 'self' {{font-src}}"
)

type CSPTemplateValues 

type CSPTemplateValues struct {
	Nonce      string
	ScriptSrc  []string
	StyleSrc   []string
	ImgSrc     []string
	ConnectSrc []string
	FontSrc    []string
}

CSPTemplateValues holds CSP placeholder replacements.

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

Handler adds a minimal set of sane security headers.

func New 

func New(opts ...Option) (*Handler, error)

New constructs a security header middleware with optional overrides.

func (*Handler) Middleware 

func (h *Handler) Middleware() func(http.Handler) http.Handler

Middleware returns the http.Handler middleware adapter.

type HeaderProfile 

type HeaderProfile string

HeaderProfile configures a named security header preset. 

const (
	// HeaderProfileAPIOnly targets JSON APIs and non-browser clients.
	HeaderProfileAPIOnly HeaderProfile = "api-only"
	// HeaderProfileDocsUI targets interactive API documentation UIs.
	HeaderProfileDocsUI HeaderProfile = "docs-ui"
	// HeaderProfileWebApp targets browser-facing web applications.
	HeaderProfileWebApp HeaderProfile = "web-app"
)

type Option 

type Option func(*Options)

Option applies a functional option to Options.

func APIOnly 

func APIOnly() Option

APIOnly applies the API-only header profile.

func DocsUI 

func DocsUI() Option

DocsUI applies the API documentation header profile.

func WebApp 

func WebApp() Option

WebApp applies the browser-facing web app header profile.

func WithCOEP 

func WithCOEP(policy string) Option

WithCOEP sets the Cross-Origin-Embedder-Policy header value.

func WithCOOP 

func WithCOOP(policy string) Option

WithCOOP sets the Cross-Origin-Opener-Policy header value.

func WithCORP 

func WithCORP(policy string) Option

WithCORP sets the Cross-Origin-Resource-Policy header value.

func WithCSP 

func WithCSP(policy string) Option

WithCSP sets a static Content-Security-Policy header value.

func WithCSPFunc 

func WithCSPFunc(fn func(*http.Request) string) Option

WithCSPFunc sets a per-request Content-Security-Policy function.

func WithCSPProfile 

func WithCSPProfile(profile CSPProfile) Option

WithCSPProfile sets a named Content-Security-Policy profile.

func WithCSPTemplate 

func WithCSPTemplate(template CSPTemplate, values CSPTemplateValues) Option

WithCSPTemplate sets a Content-Security-Policy header from a template.

func WithCSPTemplateFunc 

func WithCSPTemplateFunc(template CSPTemplate, fn func(*http.Request) CSPTemplateValues) Option

WithCSPTemplateFunc sets a per-request Content-Security-Policy from a template.

func WithCrossOriginIsolation 

func WithCrossOriginIsolation() Option

WithCrossOriginIsolation enables cross-origin isolation headers.

func WithCrossOriginPolicies 

func WithCrossOriginPolicies(coop, coep, corp string) Option

WithCrossOriginPolicies sets cross-origin isolation header values explicitly.

func WithHSTS 

func WithHSTS(maxAge time.Duration, includeSubdomains, preload bool) Option

WithHSTS configures Strict-Transport-Security behavior.

func WithHeaderProfile 

func WithHeaderProfile(profile HeaderProfile) Option

WithHeaderProfile applies a named header profile.

func WithPermissionsPolicy 

func WithPermissionsPolicy(policy string) Option

WithPermissionsPolicy sets the Permissions-Policy header value.

func WithResolver 

func WithResolver(resolver identity.Resolver) Option

WithResolver sets the trusted proxy resolver used for scheme detection.

type Options 

type Options struct {
	ContentSecurityPolicy     string
	ContentSecurityPolicyFunc func(*http.Request) string
	PermissionsPolicy         string
	ReferrerPolicy            string
	FrameOptions              string
	ContentTypeOptions        string
	CrossOriginOpenerPolicy   string
	CrossOriginEmbedderPolicy string
	CrossOriginResourcePolicy string
	HSTSMaxAge                time.Duration
	HSTSIncludeSubdomains     bool
	HSTSPreload               bool
	Resolver                  identity.Resolver
}

Options configures the security header middleware.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.