security

package
v0.1.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 21, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package security provides HTTP security middleware and utilities.

Package security provides HTTP security middleware.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Headers

func Headers(opts ...Option) func(http.Handler) http.Handler

Headers returns middleware that adds security headers to responses.

Example:

mux := http.NewServeMux()
handler := security.Headers(
    security.WithCSP("default-src 'self'"),
    security.WithHSTS(365*24*time.Hour, true),
)(mux)

func ValidateOrigin

func ValidateOrigin(r *http.Request) bool

ValidateOrigin checks if the request's Origin or Referer header matches the expected host. This provides CSRF protection for form submissions.

Returns true if the request origin is valid, false otherwise.

The validation: - Parses the Origin header (or Referer as fallback) as a URL - Compares the parsed host against the request's Host header - Allows localhost/127.0.0.1 for development

Example:

func HandleLogin(w http.ResponseWriter, r *http.Request) {
    if !security.ValidateOrigin(r) {
        http.Error(w, "Invalid request origin", http.StatusForbidden)
        return
    }
    // Process login...
}

func ValidateOriginAllowEmpty

func ValidateOriginAllowEmpty(r *http.Request) bool

ValidateOriginAllowEmpty is like ValidateOrigin but allows requests without Origin/Referer headers. This is useful for endpoints that need to accept requests from non-browser clients while still protecting against CSRF from browsers.

Example:

func HandleAPILogin(w http.ResponseWriter, r *http.Request) {
    if !security.ValidateOriginAllowEmpty(r) {
        http.Error(w, "Invalid request origin", http.StatusForbidden)
        return
    }
    // Process login...
}

Types

type HeadersConfig

type HeadersConfig struct {
	// CSP is the Content-Security-Policy header value.
	CSP string

	// HSTSMaxAge sets the Strict-Transport-Security max-age directive.
	// Set to 0 to disable HSTS.
	HSTSMaxAge time.Duration

	// HSTSIncludeSubDomains includes subdomains in HSTS.
	HSTSIncludeSubDomains bool

	// FrameOptions sets X-Frame-Options (e.g., "DENY", "SAMEORIGIN").
	FrameOptions string

	// ContentTypeNoSniff enables X-Content-Type-Options: nosniff.
	ContentTypeNoSniff bool

	// XSSProtection sets X-XSS-Protection header.
	XSSProtection string

	// ReferrerPolicy sets the Referrer-Policy header.
	ReferrerPolicy string
}

HeadersConfig holds configuration for security headers.

func DefaultConfig

func DefaultConfig() HeadersConfig

DefaultConfig returns a sensible default configuration.

type Option

type Option func(*HeadersConfig)

Option configures HeadersConfig.

func WithCSP

func WithCSP(csp string) Option

WithCSP sets the Content-Security-Policy header.

Example:

security.Headers(security.WithCSP("default-src 'self'"))

func WithContentTypeNoSniff

func WithContentTypeNoSniff() Option

WithContentTypeNoSniff enables X-Content-Type-Options: nosniff.

func WithFrameOptions

func WithFrameOptions(value string) Option

WithFrameOptions sets X-Frame-Options header.

Example:

security.Headers(security.WithFrameOptions("DENY"))

func WithHSTS

func WithHSTS(maxAge time.Duration, includeSubDomains bool) Option

WithHSTS enables HTTP Strict Transport Security.

Example:

security.Headers(security.WithHSTS(365 * 24 * time.Hour, true))

func WithReferrerPolicy

func WithReferrerPolicy(policy string) Option

WithReferrerPolicy sets Referrer-Policy header.

Example:

security.Headers(security.WithReferrerPolicy("strict-origin-when-cross-origin"))

func WithXSSProtection

func WithXSSProtection(value string) Option

WithXSSProtection sets X-XSS-Protection header.

Example:

security.Headers(security.WithXSSProtection("1; mode=block"))

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL