From d8682aca94aa2ece7a6fc0b9556ea97d61b317d8 Mon Sep 17 00:00:00 2001 From: Azareal Date: Wed, 15 Aug 2018 18:06:48 +1000 Subject: [PATCH] Move these header sets to the start of the router. --- common/routes_common.go | 6 ------ gen_router.go | 6 ++++++ router_gen/main.go | 6 ++++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/common/routes_common.go b/common/routes_common.go index 8af46e29..1608a1ab 100644 --- a/common/routes_common.go +++ b/common/routes_common.go @@ -292,12 +292,6 @@ func preRoute(w http.ResponseWriter, r *http.Request) (User, bool) { usercpy.LastIP = host } - h := w.Header() - h.Set("X-Frame-Options", "deny") - h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing - // TODO: Set the content policy header - h.Set("X-Content-Type-Options", "nosniff") - return *usercpy, true } diff --git a/gen_router.go b/gen_router.go index a4efdab5..493da1de 100644 --- a/gen_router.go +++ b/gen_router.go @@ -668,6 +668,12 @@ func (router *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) { return } + h := w.Header() + h.Set("X-Frame-Options", "deny") + h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing + // TODO: Set the content policy header + h.Set("X-Content-Type-Options", "nosniff") + // TODO: Cover more suspicious strings and at a lower layer than this for _, char := range req.URL.Path { if char != '&' && !(char > 44 && char < 58) && char != '=' && char != '?' && !(char > 64 && char < 91) && char != '\\' && char != '_' && !(char > 96 && char < 123) { diff --git a/router_gen/main.go b/router_gen/main.go index a5e7243b..880446e8 100644 --- a/router_gen/main.go +++ b/router_gen/main.go @@ -445,6 +445,12 @@ func (router *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) { return } + h := w.Header() + h.Set("X-Frame-Options", "deny") + h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing + // TODO: Set the content policy header + h.Set("X-Content-Type-Options", "nosniff") + // TODO: Cover more suspicious strings and at a lower layer than this for _, char := range req.URL.Path { if char != '&' && !(char > 44 && char < 58) && char != '=' && char != '?' && !(char > 64 && char < 91) && char != '\\' && char != '_' && !(char > 96 && char < 123) {