From 028132d13f4092eccf2d0f28c1e41cd638cb8890 Mon Sep 17 00:00:00 2001 From: Hylke Visser Date: Mon, 8 Jul 2019 10:24:34 +0200 Subject: [PATCH] Add ReferrerPolicy to Secure middleware --- echo.go | 1 + middleware/secure.go | 8 ++++++++ middleware/secure_test.go | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/echo.go b/echo.go index 0622c8d91..bc63b822b 100644 --- a/echo.go +++ b/echo.go @@ -222,6 +222,7 @@ const ( HeaderContentSecurityPolicy = "Content-Security-Policy" HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only" HeaderXCSRFToken = "X-CSRF-Token" + HeaderReferrerPolicy = "Referrer-Policy" ) const ( diff --git a/middleware/secure.go b/middleware/secure.go index 77a1487fe..6c4051723 100644 --- a/middleware/secure.go +++ b/middleware/secure.go @@ -66,6 +66,11 @@ type ( // maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/ // Optional. Default value false. HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"` + + // ReferrerPolicy sets the `Referrer-Policy` header providing security against + // leaking potentially sensitive request paths to third parties. + // Optional. Default value "". + ReferrerPolicy string `yaml:"referrer_policy"` } ) @@ -131,6 +136,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc { res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy) } } + if config.ReferrerPolicy != "" { + res.Header().Set(echo.HeaderReferrerPolicy, config.ReferrerPolicy) + } return next(c) } } diff --git a/middleware/secure_test.go b/middleware/secure_test.go index 96245feab..79bd172ae 100644 --- a/middleware/secure_test.go +++ b/middleware/secure_test.go @@ -25,6 +25,7 @@ func TestSecure(t *testing.T) { assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions)) assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity)) assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy)) + assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy)) // Custom req.Header.Set(echo.HeaderXForwardedProto, "https") @@ -36,6 +37,7 @@ func TestSecure(t *testing.T) { XFrameOptions: "", HSTSMaxAge: 3600, ContentSecurityPolicy: "default-src 'self'", + ReferrerPolicy: "origin", })(h)(c) assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection)) assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions)) @@ -43,6 +45,7 @@ func TestSecure(t *testing.T) { assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity)) assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy)) assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly)) + assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy)) // Custom with CSPReportOnly flag req.Header.Set(echo.HeaderXForwardedProto, "https") @@ -55,6 +58,7 @@ func TestSecure(t *testing.T) { HSTSMaxAge: 3600, ContentSecurityPolicy: "default-src 'self'", CSPReportOnly: true, + ReferrerPolicy: "origin", })(h)(c) assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection)) assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions)) @@ -62,6 +66,7 @@ func TestSecure(t *testing.T) { assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity)) assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly)) assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy)) + assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy)) // Custom, with preload option enabled req.Header.Set(echo.HeaderXForwardedProto, "https")