middleware: add security related HTTP(S) response headers (#17522)

* x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
2025-02-25 18:55:37 -06:00 · 2019-06-12 13:15:50 +02:00
parent 41fb38d522
commit 599514ad68
5 changed files with 120 additions and 8 deletions
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -1,6 +1,7 @@
 package middleware

 import (
+	"fmt"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -242,10 +243,35 @@ func AddDefaultResponseHeaders() macaron.Handler {
 			if !setting.AllowEmbedding {
 				AddXFrameOptionsDenyHeader(w)
 			}
+
+			AddSecurityHeaders(w)
 		})
 	}
 }

+// AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser.
+func AddSecurityHeaders(w macaron.ResponseWriter) {
+	if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity {
+		strictHeader := "Strict-Transport-Security"
+		w.Header().Add(strictHeader, fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge))
+		if setting.StrictTransportSecurityPreload {
+			w.Header().Add(strictHeader, "preload")
+		}
+		if setting.StrictTransportSecuritySubDomains {
+			w.Header().Add(strictHeader, "includeSubDomains")
+		}
+	}
+
+	if setting.ContentTypeProtectionHeader {
+		w.Header().Add("X-Content-Type-Options", "nosniff")
+	}
+
+	if setting.XSSProtectionHeader {
+		w.Header().Add("X-XSS-Protection", "1")
+		w.Header().Add("X-XSS-Protection", "mode=block")
+	}
+}
+
 func AddNoCacheHeaders(w macaron.ResponseWriter) {
 	w.Header().Add("Cache-Control", "no-cache")
 	w.Header().Add("Pragma", "no-cache")