Documentation
¶
Overview ¶
Package security provides HTTP security middleware and utilities.
Package security provides HTTP security middleware.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Headers ¶
Headers returns middleware that adds security headers to responses.
Example:
mux := http.NewServeMux()
handler := security.Headers(
security.WithCSP("default-src 'self'"),
security.WithHSTS(365*24*time.Hour, true),
)(mux)
func ValidateOrigin ¶
ValidateOrigin checks if the request's Origin or Referer header matches the expected host. This provides CSRF protection for form submissions.
Returns true if the request origin is valid, false otherwise.
The validation: - Parses the Origin header (or Referer as fallback) as a URL - Compares the parsed host against the request's Host header - Allows localhost/127.0.0.1 for development
Example:
func HandleLogin(w http.ResponseWriter, r *http.Request) {
if !security.ValidateOrigin(r) {
http.Error(w, "Invalid request origin", http.StatusForbidden)
return
}
// Process login...
}
func ValidateOriginAllowEmpty ¶
ValidateOriginAllowEmpty is like ValidateOrigin but allows requests without Origin/Referer headers. This is useful for endpoints that need to accept requests from non-browser clients while still protecting against CSRF from browsers.
Example:
func HandleAPILogin(w http.ResponseWriter, r *http.Request) {
if !security.ValidateOriginAllowEmpty(r) {
http.Error(w, "Invalid request origin", http.StatusForbidden)
return
}
// Process login...
}
Types ¶
type HeadersConfig ¶
type HeadersConfig struct {
// CSP is the Content-Security-Policy header value.
CSP string
// HSTSMaxAge sets the Strict-Transport-Security max-age directive.
// Set to 0 to disable HSTS.
HSTSMaxAge time.Duration
// HSTSIncludeSubDomains includes subdomains in HSTS.
HSTSIncludeSubDomains bool
// FrameOptions sets X-Frame-Options (e.g., "DENY", "SAMEORIGIN").
FrameOptions string
// ContentTypeNoSniff enables X-Content-Type-Options: nosniff.
ContentTypeNoSniff bool
// XSSProtection sets X-XSS-Protection header.
XSSProtection string
// ReferrerPolicy sets the Referrer-Policy header.
ReferrerPolicy string
}
HeadersConfig holds configuration for security headers.
func DefaultConfig ¶
func DefaultConfig() HeadersConfig
DefaultConfig returns a sensible default configuration.
type Option ¶
type Option func(*HeadersConfig)
Option configures HeadersConfig.
func WithCSP ¶
WithCSP sets the Content-Security-Policy header.
Example:
security.Headers(security.WithCSP("default-src 'self'"))
func WithContentTypeNoSniff ¶
func WithContentTypeNoSniff() Option
WithContentTypeNoSniff enables X-Content-Type-Options: nosniff.
func WithFrameOptions ¶
WithFrameOptions sets X-Frame-Options header.
Example:
security.Headers(security.WithFrameOptions("DENY"))
func WithHSTS ¶
WithHSTS enables HTTP Strict Transport Security.
Example:
security.Headers(security.WithHSTS(365 * 24 * time.Hour, true))
func WithReferrerPolicy ¶
WithReferrerPolicy sets Referrer-Policy header.
Example:
security.Headers(security.WithReferrerPolicy("strict-origin-when-cross-origin"))
func WithXSSProtection ¶
WithXSSProtection sets X-XSS-Protection header.
Example:
security.Headers(security.WithXSSProtection("1; mode=block"))