github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/defaults/defaults.go

github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/defaults/defaults.go (about)

     1  // Copyright 2020 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //	https://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package defaults provides ready to use, safe, pre-configured instances of safehttp types.
    16  package defaults
    17  
    18  import (
    19  	"errors"
    20  
    21  	"github.com/google/go-safeweb/safehttp"
    22  	"github.com/google/go-safeweb/safehttp/plugins/coop"
    23  	"github.com/google/go-safeweb/safehttp/plugins/csp"
    24  	"github.com/google/go-safeweb/safehttp/plugins/fetchmetadata"
    25  	"github.com/google/go-safeweb/safehttp/plugins/framing"
    26  	"github.com/google/go-safeweb/safehttp/plugins/hostcheck"
    27  	"github.com/google/go-safeweb/safehttp/plugins/hsts"
    28  	"github.com/google/go-safeweb/safehttp/plugins/staticheaders"
    29  	"github.com/google/go-safeweb/safehttp/plugins/xsrf/xsrfhtml"
    30  )
    31  
    32  // ServeMuxConfig creates a safe and ready to use ServeMuxConfig with all necessary security interceptors installed.
    33  // hosts should be all the hosts this mux will be served on and it can't be empty.
    34  // xsrfKey is the secret application key to use for XSRF token generation and it can't be empty.
    35  func ServeMuxConfig(hosts []string, xsrfKey string) (*safehttp.ServeMuxConfig, error) {
    36  
    37  	if len(hosts) == 0 {
    38  		return nil, errors.New("hosts slice cannot be empty")
    39  	}
    40  
    41  	if xsrfKey == "" {
    42  		return nil, errors.New("xsrfKey cannot be empty")
    43  	}
    44  
    45  	c := safehttp.NewServeMuxConfig(nil)
    46  
    47  	// Non-blocking:
    48  	c.Intercept(staticheaders.Interceptor{})
    49  	c.Intercept(hsts.Default())
    50  	// TODO(empijei): add a report group once we support reporting.
    51  	c.Intercept(coop.Default(""))
    52  	// TODO(empijei): add a report-uri once we support reporting.
    53  	for _, i := range csp.Default("") {
    54  		c.Intercept(i)
    55  	}
    56  
    57  	// Blocking:
    58  	c.Intercept(hostcheck.New(hosts...))
    59  	c.Intercept(fetchmetadata.ResourceIsolationPolicy())
    60  	c.Intercept(&xsrfhtml.Interceptor{SecretAppKey: xsrfKey})
    61  	for _, i := range framing.Interceptors("") {
    62  		c.Intercept(i)
    63  	}
    64  
    65  	return c, nil
    66  }