Skip to content
This repository has been archived by the owner on Feb 12, 2019. It is now read-only.

add a couple HTTP response headers #1450

Merged
merged 2 commits into from
Jan 16, 2018
Merged

add a couple HTTP response headers #1450

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2955028
add a couple HTTP response headers
songgao Jan 15, 2018
fee3a96
typo fix as suggested by strib and remove nosniff
songgao Jan 15, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions libpages/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,20 @@ func (s *Server) logRequest(sri *ServedRequestInfo, requestPath string) {
)
}

func (s *Server) setCommonResponseHeaders(w http.ResponseWriter) {
// Enforce XSS protection. References:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
// https://blog.innerht.ml/the-misunderstood-x-xss-protection/
w.Header().Set("X-XSS-Protection", "1; mode=block")
// Only allow HTTPS on this domain, and make this policy expire in a
// week. This means if user decides to migrate off Keybase Pages, there's a
// 1-week gap before they can use HTTP again. Note that we don't use the
// 'preload' directive, for the same reason we use 302 instead of 301 for
// HTTP->HTTPS redirection. Reference: https://hstspreload.org/#opt-in
w.Header().Set("Strict-Transport-Security", "max-age=604800; includeSubDomains")
// TODO: allow user to opt-in some directives of Content-Security-Policy?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CSP is present on a neocities site as following:

content-security-policy: upgrade-insecure-requests; default-src 'unsafe-inline' 'unsafe-eval' 'self' data: blob: *

But it seems these all should be opt-in by user, perhaps through the .kbp_config, thus the TODO. But let me know if anybody feels differently.

}

// ServeHTTP implements the http.Handler interface.
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
sri := &ServedRequestInfo{
Expand All @@ -301,12 +315,13 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
defer s.logRequest(sri, r.URL.Path)

s.setCommonResponseHeaders(w)

// Don't serve the config file itself.
if path.Clean(strings.ToLower(r.URL.Path)) == config.DefaultConfigFilepath {
// TODO: integrate this check into Config?
w.WriteHeader(http.StatusForbidden)
fmt.Fprintf(w, "Reading %s directly is forbidden.",
config.DefaultConfigFilepath)
http.Error(w, fmt.Sprintf("Reading %s directly is forbidden.",
config.DefaultConfigFilepath), http.StatusForbidden)
return
}

Expand Down Expand Up @@ -340,6 +355,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
sri.CloningShown = true
// TODO: replace this with something nicer when fancy error pages and
// landing pages are ready.
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusServiceUnavailable)
w.Write(cloningLandingPage)
return
Expand Down