Documentation
¶
Index ¶
- Constants
- func AutoContentType() func(http.Handler) http.Handler
- func CSPBasic() string
- func CSPModern() string
- func CSPStrict() string
- func DefaultDocumentPolicy() string
- func DefaultPermissionsPolicy() string
- func DefaultReportingEndpoints(endpoint string) string
- func GetSecurityHeadersMiddleware() func(http.Handler) http.Handler
- func HSTSValue(maxAge int, includeSubdomains bool, preload bool) string
- func New(options ...func(*Config)) mist.Middleware
- func RemoveServerHeaders() func(http.Handler) http.Handler
- func SetContentSecurityPolicy(value string) func(*SecurityHeaders)
- func SetHSTS(enable bool, maxAge time.Duration, includeSubDomains, preload bool) func(*SecurityHeaders)
- func SetXFrameOptions(value string) func(*SecurityHeaders)
- func WithCSPReporting(enabled bool) func(*Config)
- func WithContentSecurityPolicy(policy string) func(*Config)
- func WithContentTypeNoSniff(enabled bool) func(*Config)
- func WithCrossOriginPolicies(embedder, opener, resource string) func(*Config)
- func WithDocumentPolicy(policy string) func(*Config)
- func WithExpectCT(enabled bool, maxAge int, enforce bool) func(*Config)
- func WithHSTS(enabled bool, maxAge int, includeSubdomains bool, preload bool) func(*Config)
- func WithNonce(enabled bool) func(*Config)
- func WithPermissionsPolicy(policy string) func(*Config)
- func WithReferrerPolicy(policy string) func(*Config)
- func WithReportURI(uri string) func(*Config)
- func WithReportingEndpoints(endpoints string) func(*Config)
- func WithUpgradeInsecureRequests(enabled bool) func(*Config)
- func WithXFrameOptions(option string) func(*Config)
- func WithXSSProtection(enabled bool) func(*Config)
- func XFrameAllowFrom(uri string) string
- type CSPBuilder
- type Config
- type SecurityHeaders
Constants ¶
View Source
const ReferrerNoReferrer = "no-referrer"
ReferrerNoReferrer 不发送Referrer信息
View Source
const ReferrerNoReferrerWhenDowngrade = "no-referrer-when-downgrade"
ReferrerNoReferrerWhenDowngrade 仅在HTTPS到HTTP时不发送
View Source
const ReferrerSameOrigin = "same-origin"
ReferrerSameOrigin 仅同源时发送
View Source
const ReferrerStrictOrigin = "strict-origin"
ReferrerStrictOrigin 只发送源(严格)
View Source
const ReferrerStrictOriginWhenCrossOrigin = "strict-origin-when-cross-origin"
ReferrerStrictOriginWhenCrossOrigin 跨域时仅发送源(严格)
View Source
const XFrameDeny = "DENY"
XFrameDeny 拒绝所有iframe嵌入
View Source
const XFrameSameOrigin = "SAMEORIGIN"
XFrameSameOrigin 仅允许同源iframe嵌入
Variables ¶
This section is empty.
Functions ¶
func AutoContentType ¶ added in v0.1.26
AutoContentType 设置正确的Content-Type头的中间件
func DefaultDocumentPolicy ¶ added in v0.1.24
func DefaultDocumentPolicy() string
DefaultDocumentPolicy 返回默认的文档策略
func DefaultPermissionsPolicy ¶ added in v0.1.24
func DefaultPermissionsPolicy() string
DefaultPermissionsPolicy 返回默认的权限策略
func DefaultReportingEndpoints ¶ added in v0.1.24
DefaultReportingEndpoints 返回默认的报告终端配置
func GetSecurityHeadersMiddleware ¶ added in v0.1.26
GetSecurityHeadersMiddleware 提供默认安全头中间件
func RemoveServerHeaders ¶ added in v0.1.26
RemoveServerHeaders 移除X-Powered-By和Server头的中间件
func SetContentSecurityPolicy ¶ added in v0.1.26
func SetContentSecurityPolicy(value string) func(*SecurityHeaders)
SetContentSecurityPolicy 设置内容安全策略
func SetHSTS ¶ added in v0.1.26
func SetHSTS(enable bool, maxAge time.Duration, includeSubDomains, preload bool) func(*SecurityHeaders)
SetHSTS 设置HSTS策略
func SetXFrameOptions ¶ added in v0.1.26
func SetXFrameOptions(value string) func(*SecurityHeaders)
SetXFrameOptions 设置X-Frame-Options选项
func WithCSPReporting ¶ added in v0.1.24
WithCSPReporting 设置CSP报告模式
func WithContentSecurityPolicy ¶
WithContentSecurityPolicy 设置内容安全策略
func WithContentTypeNoSniff ¶
WithContentTypeNoSniff 设置内容类型嗅探保护
func WithCrossOriginPolicies ¶
WithCrossOriginPolicies 设置跨源政策
func WithDocumentPolicy ¶ added in v0.1.24
WithDocumentPolicy 设置文档策略
func WithExpectCT ¶
WithExpectCT 设置Expect-CT
func WithPermissionsPolicy ¶
WithPermissionsPolicy 设置权限策略
func WithReferrerPolicy ¶
WithReferrerPolicy 设置引用来源政策
func WithReportURI ¶ added in v0.1.24
WithReportURI 设置报告URI
func WithReportingEndpoints ¶ added in v0.1.24
WithReportingEndpoints 设置报告终端
func WithUpgradeInsecureRequests ¶ added in v0.1.24
WithUpgradeInsecureRequests 设置是否启用升级不安全请求
func WithXFrameOptions ¶
WithXFrameOptions 设置X-Frame-Options
func WithXSSProtection ¶
WithXSSProtection 设置XSS保护
Types ¶
type CSPBuilder ¶
type CSPBuilder struct {
// contains filtered or unexported fields
}
CSPBuilder 用于构建内容安全策略的生成器
func (*CSPBuilder) Add ¶
func (b *CSPBuilder) Add(directive string, values ...string) *CSPBuilder
Add 添加内容安全策略指令
func (*CSPBuilder) RequireSRI ¶ added in v0.1.24
func (b *CSPBuilder) RequireSRI(directive string, require bool) *CSPBuilder
RequireSRI 为特定指令要求使用SRI
type Config ¶
type Config struct {
// XSSProtection 启用XSS保护
XSSProtection bool
// ContentTypeNoSniff 禁止内容类型嗅探
ContentTypeNoSniff bool
// XFrameOptions X-Frame-Options 设置
XFrameOptions string
// HSTS 是否启用HTTP严格传输安全
HSTS bool
// HSTSMaxAge HSTS最大存活时间(秒)
HSTSMaxAge int
// HSTSIncludeSubdomains 是否包含子域名
HSTSIncludeSubdomains bool
// HSTSPreload 是否启用预加载
HSTSPreload bool
// ContentSecurityPolicy 内容安全策略
ContentSecurityPolicy string
// ReferrerPolicy 引用来源政策
ReferrerPolicy string
// PermissionsPolicy 权限策略
PermissionsPolicy string
// XContentTypeOptions X-Content-Type-Options 头部
XContentTypeOptions string
// ExpectCT 证书透明度期望
ExpectCT bool
// ExpectCTMaxAge Expect-CT 最大存活时间(秒)
ExpectCTMaxAge int
// ExpectCTEnforce 是否强制执行Expect-CT
ExpectCTEnforce bool
// CrossOriginEmbedderPolicy 跨源嵌入者策略
CrossOriginEmbedderPolicy string
// CrossOriginOpenerPolicy 跨源打开者策略
CrossOriginOpenerPolicy string
// CrossOriginResourcePolicy 跨源资源策略
CrossOriginResourcePolicy string
// DocumentPolicy 文档策略
DocumentPolicy string
// ReportTo 违规报告配置
ReportTo string
// ReportURI CSP违规报告URI
ReportURI string
// EnableNonce 是否启用CSP nonce
EnableNonce bool
// EnableUpgradeInsecureRequests 是否启用升级不安全请求
EnableUpgradeInsecureRequests bool
// CSPReporting 是否启用CSP报告模式
CSPReporting bool
}
Config 安全头部配置
type SecurityHeaders ¶ added in v0.1.26
type SecurityHeaders struct {
// XFrameOptions 控制页面是否可以被嵌入到iframe中
// 可选值: DENY, SAMEORIGIN, ALLOW-FROM uri
XFrameOptions string
// XContentTypeOptions 防止MIME类型嗅探
// 可选值: nosniff
XContentTypeOptions string
// XSSProtection 启用跨站脚本过滤
// 可选值: 0, 1, 1; mode=block
XSSProtection string
// ContentSecurityPolicy 内容安全策略
ContentSecurityPolicy string
// ReferrerPolicy 控制Referer头的发送
ReferrerPolicy string
// StrictTransportSecurity HTTP严格传输安全
// includeSubDomains: 是否包含子域名
// preload: 是否加入HSTS预加载列表
// maxAge: 有效期(秒)
HSTS struct {
Enable bool
MaxAge time.Duration
IncludeSubDomains bool
Preload bool
}
// PermissionsPolicy 权限策略
PermissionsPolicy string
// CacheControl 缓存控制
CacheControl string
// ExpectCT 证书透明度期望
ExpectCT struct {
Enable bool
MaxAge time.Duration
Enforce bool
ReportURI string
}
// CrossOriginEmbedderPolicy 跨域嵌入者策略
CrossOriginEmbedderPolicy string
// CrossOriginOpenerPolicy 跨域打开者策略
CrossOriginOpenerPolicy string
// CrossOriginResourcePolicy 跨域资源策略
CrossOriginResourcePolicy string
// ReportTo 报告机制
ReportTo string
}
SecurityHeaders 包含所有可配置的安全HTTP头
func DefaultSecurityHeaders ¶ added in v0.1.26
func DefaultSecurityHeaders() *SecurityHeaders
DefaultSecurityHeaders 返回推荐的默认安全头设置
func NewSecurityHeaders ¶ added in v0.1.26
func NewSecurityHeaders(options ...func(*SecurityHeaders)) *SecurityHeaders
NewSecurityHeaders 创建安全头设置
func (*SecurityHeaders) Middleware ¶ added in v0.1.26
func (sh *SecurityHeaders) Middleware() func(http.Handler) http.Handler
Middleware 创建一个添加安全头的HTTP中间件
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.