mirror of
https://github.com/hatchet-dev/hatchet.git
synced 2026-03-17 18:22:39 -05:00
c2248c08ab
* add a bunch of default headers * add a check on the emails so we don't resend if we have a valid invite in future * lets people invite for a new role * add in some logging so we have more visibility on what is hapening here * Add a limit to the number of pending invites a user can have. Add comments for the various headers
57 lines
3.1 KiB
Go
57 lines
3.1 KiB
Go
package headers
|
|
|
|
import (
|
|
"github.com/labstack/echo/v4"
|
|
|
|
"github.com/hatchet-dev/hatchet/api/v1/server/middleware"
|
|
)
|
|
|
|
func Middleware() middleware.MiddlewareFunc {
|
|
return func(r *middleware.RouteInfo) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
// ensure the Strict-Transport-Security header is set for all
|
|
// endpoints, as it will help ensure protection against TLS protocol downgrade
|
|
// attacks and cookie hijacking. The header also ensures that browsers only serve
|
|
// requests using a secure HTTPS connection.
|
|
c.Response().Header().Set("Strict-Transport-Security", "max-age=776000; includeSubDomains; preload")
|
|
|
|
// Adds a layer of defense against a range of content
|
|
// injection vulnerabilities by allowing the application to inform the client of expected
|
|
// resource sources. This can be used to prevent scripts from external sources from
|
|
// being injected into the application.
|
|
c.Response().Header().Set("Content-Security-Policy", "script-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'")
|
|
|
|
// Defines how much information browsers include in the referrer
|
|
// header when users navigate away from the application, which can prevent
|
|
// information disclosure.
|
|
c.Response().Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
|
|
|
// Helps prevent clickjacking attacks by preventing the application from being framed in undesirable locations.
|
|
c.Response().Header().Set("X-Frame-Options", "DENY")
|
|
|
|
// Used to prevent MIME-sniffing, which is the process in
|
|
// which browsers attempt to determine the content type and encoding of an HTTP
|
|
// response if these properties are incorrect or not present within the HTTP headers.
|
|
|
|
c.Response().Header().Set("X-Content-Type-Options", "nosniff")
|
|
|
|
// allows you to control which origins can use which browser
|
|
// features, both in the top-level page and in embedded frames. For every feature
|
|
// controlled by Feature Policy, the feature is only enabled in the current document
|
|
// or frame if its origin matches the allowed list of origins.
|
|
c.Response().Header().Set("Permissions-Policy", "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()")
|
|
|
|
// The require-corp directive implies that the document can only access resources that are either from the same origin or have been specifically granted permission otherwise.
|
|
|
|
c.Response().Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
|
|
|
|
// Cross-Origin-Opener-Policy prevents a document from being opened in a browsing context that has a different opener than its own. This helps prevent attacks where a document is opened in a new tab or window and is able to navigate the opening document to a malicious URL.
|
|
c.Response().Header().Set("Cross-Origin-Opener-Policy", "same-origin")
|
|
|
|
// Only requests from the same origin (i.e. scheme + host + port) can read the resource.
|
|
c.Response().Header().Set("Cross-Origin-Resource-Policy", "same-origin")
|
|
return nil
|
|
}
|
|
}
|
|
}
|