github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/examples/echo/security/web/web.go (about) 1 // Copyright 2022 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package web is an example package maintained by security experts in a 16 // development team. 17 // 18 // This makes it possible to restrict the usage of net/http package methods used 19 // for starting an HTTP server, providing a safe way to do it instead. 20 package web 21 22 import ( 23 "fmt" 24 25 "github.com/google/go-safeweb/safehttp/plugins/coop" 26 "github.com/google/go-safeweb/safehttp/plugins/cors" 27 "github.com/google/go-safeweb/safehttp/plugins/csp" 28 "github.com/google/go-safeweb/safehttp/plugins/fetchmetadata" 29 "github.com/google/go-safeweb/safehttp/plugins/framing" 30 "github.com/google/go-safeweb/safehttp/plugins/hostcheck" 31 "github.com/google/go-safeweb/safehttp/plugins/hsts" 32 "github.com/google/go-safeweb/safehttp/plugins/staticheaders" 33 34 "github.com/google/go-safeweb/safehttp" 35 ) 36 37 // NewMuxConfig returns a ServeMuxConfig with a set of interceptors already 38 // installed for security reasons. 39 // These include: 40 // 41 // - Cross-Origin-Opener-Policy 42 // - Content-Security-Policy 43 // - Fetch Metadata 44 // - HSTS 45 // - CORS 46 // - Host checking (against DNS rebinding and request smuggling) 47 // 48 // Warning: XSRF protection is currently missing due to 49 // https://github.com/google/go-safeweb/issues/171. 50 func NewMuxConfig(addr string) *safehttp.ServeMuxConfig { 51 c := safehttp.NewServeMuxConfig(nil) 52 53 c.Intercept(coop.Default("")) 54 c.Intercept(staticheaders.Interceptor{}) 55 for _, i := range csp.Default("") { 56 c.Intercept(i) 57 } 58 c.Intercept(hsts.Default()) 59 60 for _, i := range framing.Interceptors("") { 61 c.Intercept(i) 62 } 63 c.Intercept(fetchmetadata.ResourceIsolationPolicy()) 64 c.Intercept(cors.Default()) 65 c.Intercept(hostcheck.New(addr)) 66 return c 67 } 68 69 // NewMuxConfigDev returns a ServeMuxConfig with a set of interceptors already 70 // installed for security reasons. 71 // These include: 72 // 73 // - Cross-Origin-Opener-Policy 74 // - Content-Security-Policy 75 // - Fetch Metadata 76 // - Host checking (against DNS rebinding and request smuggling) 77 // 78 // It DOES NOT include HSTS or CORS, as these are difficult to setup in a 79 // development environment. 80 // 81 // Important: the host checking plugin will accept only requests coming to 82 // localhost:port, not e.g. 127.0.0.1:port. 83 func NewMuxConfigDev(port int) *safehttp.ServeMuxConfig { 84 c := safehttp.NewServeMuxConfig(nil) 85 86 c.Intercept(coop.Default("")) 87 for _, i := range csp.Default("") { 88 c.Intercept(i) 89 } 90 c.Intercept(fetchmetadata.ResourceIsolationPolicy()) 91 c.Intercept(staticheaders.Interceptor{}) 92 93 addr := fmt.Sprintf("localhost:%d", port) 94 c.Intercept(hostcheck.New(addr)) 95 // No HSTS, no CORS 96 97 return c 98 }