github.com/gofiber/fiber/v2@v2.47.0/middleware/helmet/helmet.go (about)

     1  package helmet
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/gofiber/fiber/v2"
     7  )
     8  
     9  // New creates a new middleware handler
    10  func New(config ...Config) fiber.Handler {
    11  	// Init config
    12  	cfg := configDefault(config...)
    13  
    14  	// Return middleware handler
    15  	return func(c *fiber.Ctx) error {
    16  		// Next request to skip middleware
    17  		if cfg.Next != nil && cfg.Next(c) {
    18  			return c.Next()
    19  		}
    20  
    21  		// Set headers
    22  		if cfg.XSSProtection != "" {
    23  			c.Set(fiber.HeaderXXSSProtection, cfg.XSSProtection)
    24  		}
    25  
    26  		if cfg.ContentTypeNosniff != "" {
    27  			c.Set(fiber.HeaderXContentTypeOptions, cfg.ContentTypeNosniff)
    28  		}
    29  
    30  		if cfg.XFrameOptions != "" {
    31  			c.Set(fiber.HeaderXFrameOptions, cfg.XFrameOptions)
    32  		}
    33  
    34  		if cfg.CrossOriginEmbedderPolicy != "" {
    35  			c.Set("Cross-Origin-Embedder-Policy", cfg.CrossOriginEmbedderPolicy)
    36  		}
    37  
    38  		if cfg.CrossOriginOpenerPolicy != "" {
    39  			c.Set("Cross-Origin-Opener-Policy", cfg.CrossOriginOpenerPolicy)
    40  		}
    41  
    42  		if cfg.CrossOriginResourcePolicy != "" {
    43  			c.Set("Cross-Origin-Resource-Policy", cfg.CrossOriginResourcePolicy)
    44  		}
    45  
    46  		if cfg.OriginAgentCluster != "" {
    47  			c.Set("Origin-Agent-Cluster", cfg.OriginAgentCluster)
    48  		}
    49  
    50  		if cfg.ReferrerPolicy != "" {
    51  			c.Set("Referrer-Policy", cfg.ReferrerPolicy)
    52  		}
    53  
    54  		if cfg.XDNSPrefetchControl != "" {
    55  			c.Set("X-DNS-Prefetch-Control", cfg.XDNSPrefetchControl)
    56  		}
    57  
    58  		if cfg.XDownloadOptions != "" {
    59  			c.Set("X-Download-Options", cfg.XDownloadOptions)
    60  		}
    61  
    62  		if cfg.XPermittedCrossDomain != "" {
    63  			c.Set("X-Permitted-Cross-Domain-Policies", cfg.XPermittedCrossDomain)
    64  		}
    65  
    66  		// Handle HSTS headers
    67  		if c.Protocol() == "https" && cfg.HSTSMaxAge != 0 {
    68  			subdomains := ""
    69  			if !cfg.HSTSExcludeSubdomains {
    70  				subdomains = "; includeSubDomains"
    71  			}
    72  			if cfg.HSTSPreloadEnabled {
    73  				subdomains = fmt.Sprintf("%s; preload", subdomains)
    74  			}
    75  			c.Set(fiber.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", cfg.HSTSMaxAge, subdomains))
    76  		}
    77  
    78  		// Handle Content-Security-Policy headers
    79  		if cfg.ContentSecurityPolicy != "" {
    80  			if cfg.CSPReportOnly {
    81  				c.Set(fiber.HeaderContentSecurityPolicyReportOnly, cfg.ContentSecurityPolicy)
    82  			} else {
    83  				c.Set(fiber.HeaderContentSecurityPolicy, cfg.ContentSecurityPolicy)
    84  			}
    85  		}
    86  
    87  		// Handle Permissions-Policy headers
    88  		if cfg.PermissionPolicy != "" {
    89  			c.Set(fiber.HeaderPermissionsPolicy, cfg.PermissionPolicy)
    90  		}
    91  
    92  		return c.Next()
    93  	}
    94  }