Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 14:50:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

httpd: add cross origin resource and embedder policy headers

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2025-01-24 19:33:45 +01:00
parent 83ee977746
commit 48258f6e67
6 changed files with 68 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
internal/httpd/server.go
View File

@@ -1244,17 +1244,19 @@ func (s *httpdServer) initializeRouter() {
s.router.Use(middleware.Recoverer)
if s.binding.Security.Enabled {
secureMiddleware := secure.New(secure.Options{
AllowedHosts: s.binding.Security.AllowedHosts,
AllowedHostsAreRegex: s.binding.Security.AllowedHostsAreRegex,
HostsProxyHeaders: s.binding.Security.HostsProxyHeaders,
SSLProxyHeaders: s.binding.Security.getHTTPSProxyHeaders(),
STSSeconds: s.binding.Security.STSSeconds,
STSIncludeSubdomains: s.binding.Security.STSIncludeSubdomains,
STSPreload: s.binding.Security.STSPreload,
ContentTypeNosniff: s.binding.Security.ContentTypeNosniff,
ContentSecurityPolicy: s.binding.Security.ContentSecurityPolicy,
PermissionsPolicy: s.binding.Security.PermissionsPolicy,
CrossOriginOpenerPolicy: s.binding.Security.CrossOriginOpenerPolicy,
AllowedHosts: s.binding.Security.AllowedHosts,
AllowedHostsAreRegex: s.binding.Security.AllowedHostsAreRegex,
HostsProxyHeaders: s.binding.Security.HostsProxyHeaders,
SSLProxyHeaders: s.binding.Security.getHTTPSProxyHeaders(),
STSSeconds: s.binding.Security.STSSeconds,
STSIncludeSubdomains: s.binding.Security.STSIncludeSubdomains,
STSPreload: s.binding.Security.STSPreload,
ContentTypeNosniff: s.binding.Security.ContentTypeNosniff,
ContentSecurityPolicy: s.binding.Security.ContentSecurityPolicy,
PermissionsPolicy: s.binding.Security.PermissionsPolicy,
CrossOriginOpenerPolicy: s.binding.Security.CrossOriginOpenerPolicy,
CrossOriginResourcePolicy: s.binding.Security.CrossOriginResourcePolicy,
CrossOriginEmbedderPolicy: s.binding.Security.CrossOriginEmbedderPolicy,
})
secureMiddleware.SetBadHostHandler(http.HandlerFunc(s.badHostHandler))
if s.binding.Security.CacheControl == "private" {