Skip to content

N
nexpie-grafana-theme
Commit bd08d8ce by Kyle Brandt Committed by GitHub
Options

middleware: fix Strict-Transport-Security header (#17644) 

fixes #17641
parent 40161584
Showing with 37 additions and 4 deletions
pkg/middleware/middleware.go
...@@ -255,14 +255,14 @@ func AddDefaultResponseHeaders() macaron.Handler { ...@@ -255,14 +255,14 @@ func AddDefaultResponseHeaders() macaron.Handler {
// AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser. // AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser.
func AddSecurityHeaders(w macaron.ResponseWriter) { func AddSecurityHeaders(w macaron.ResponseWriter) {
if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity { if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity {
strictHeader := "Strict-Transport-Security" strictHeaderValues := []string{fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge)}
w.Header().Add(strictHeader, fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge))
if setting.StrictTransportSecurityPreload { if setting.StrictTransportSecurityPreload {
w.Header().Add(strictHeader, "preload") strictHeaderValues = append(strictHeaderValues, "preload")
} }
if setting.StrictTransportSecuritySubDomains { if setting.StrictTransportSecuritySubDomains {
w.Header().Add(strictHeader, "includeSubDomains") strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
} }
w.Header().Add("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
} }
if setting.ContentTypeProtectionHeader { if setting.ContentTypeProtectionHeader {
......
pkg/middleware/middleware_test.go
...@@ -21,6 +21,39 @@ import ( ...@@ -21,6 +21,39 @@ import (
"gopkg.in/macaron.v1" "gopkg.in/macaron.v1"
) )
func TestMiddleWareSecurityHeaders(t *testing.T) {
setting.ERR_TEMPLATE_NAME = "error-template"
Convey("Given the grafana middleware", t, func() {
middlewareScenario(t, "middleware should get correct x-xss-protection header", func(sc *scenarioContext) {
setting.XSSProtectionHeader = true
sc.fakeReq("GET", "/api/").exec()
So(sc.resp.Header().Get("X-XSS-Protection"), ShouldEqual, "1; mode=block")
})
middlewareScenario(t, "middleware should not get x-xss-protection when disabled", func(sc *scenarioContext) {
setting.XSSProtectionHeader = false
sc.fakeReq("GET", "/api/").exec()
So(sc.resp.Header().Get("X-XSS-Protection"), ShouldBeEmpty)
})
middlewareScenario(t, "middleware should add correct Strict-Transport-Security header", func(sc *scenarioContext) {
setting.StrictTransportSecurity = true
setting.Protocol = setting.HTTPS
setting.StrictTransportSecurityMaxAge = 64000
sc.fakeReq("GET", "/api/").exec()
So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000")
setting.StrictTransportSecurityPreload = true
sc.fakeReq("GET", "/api/").exec()
So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000; preload")
setting.StrictTransportSecuritySubDomains = true
sc.fakeReq("GET", "/api/").exec()
So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000; preload; includeSubDomains")
})
})
}
func TestMiddlewareContext(t *testing.T) { func TestMiddlewareContext(t *testing.T) {
setting.ERR_TEMPLATE_NAME = "error-template" setting.ERR_TEMPLATE_NAME = "error-template"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment