Add `secure` middleware, with sensible values

2020-10-04 14:29:33 -04:00 · 2020-10-04 14:29:33 -04:00 · cd171c40cb
parent 78c40ab6b4
commit cd171c40cb
4 changed files with 25 additions and 8 deletions
--- a/go.mod
+++ b/go.mod
@ -37,6 +37,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.7.1
+	github.com/unrolled/secure v1.0.8
 	github.com/ziutek/mymysql v1.5.4 // indirect
 	golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8
 	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
--- a/go.sum
+++ b/go.sum
@ -375,6 +375,9 @@ github.com/syndtr/goleveldb v0.0.0-20181127023241-353a9fca669c/go.mod h1:Z4AUp2K
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v0.0.0-20171122102828-84cb69a8af83/go.mod h1:hnLbHMwcvSihnDhEfx2/BzKp2xb0Y+ErdfYcrs9tkJQ=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/unrolled/secure v1.0.8 h1:JaMvKbe4CRt8oyxVXn+xY+6jlqd7pyJNSVkmsBxxQsM=
+github.com/unrolled/secure v1.0.8/go.mod h1:fO+mEan+FLB0CdEnHf6Q4ZZVNqG+5fuLFnP8p0BXDPI=
+github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
 github.com/wader/tag v0.0.0-20200426234345-d072771f6a51 h1:WAxntH7YQD6fIboAvewi7eU+2PQ7Y1K9OOXh67CM4bY=
 github.com/wader/tag v0.0.0-20200426234345-d072771f6a51/go.mod h1:f3YqVk9PEeVf7T4JQ2+TdRqqjTg2fkaROZv0EMQOuKo=
 github.com/wendal/errors v0.0.0-20130201093226-f66c77a7882b/go.mod h1:Q12BUT7DqIlHRmgv3RskH+UCM/4eqVMgI0EMmlSpAXc=
--- a/server/middlewares.go
+++ b/server/middlewares.go
@ -8,6 +8,7 @@ import (

 	"github.com/deluan/navidrome/log"
 	"github.com/go-chi/chi/middleware"
+	"github.com/unrolled/secure"
 )

 func requestLogger(next http.Handler) http.Handler {
@ -46,6 +47,14 @@ func requestLogger(next http.Handler) http.Handler {
 	})
 }

+func injectLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		ctx = log.NewContext(r.Context(), "requestId", ctx.Value(middleware.RequestIDKey))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
 func robotsTXT(fs http.FileSystem) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -58,3 +67,14 @@ func robotsTXT(fs http.FileSystem) func(next http.Handler) http.Handler {
 		})
 	}
 }
+
+func secureMiddleware() func(h http.Handler) http.Handler {
+	sec := secure.New(secure.Options{
+		ContentTypeNosniff:    true,
+		FrameDeny:             true,
+		ReferrerPolicy:        "same-origin",
+		FeaturePolicy:         "autoplay 'none'; camera: 'none'; display-capture 'none'; microphone: 'none'; usb: 'none'",
+		ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
+	})
+	return sec.Handler
+}
--- a/server/server.go
+++ b/server/server.go
@ -53,6 +53,7 @@ func (a *Server) Run(addr string) {
 func (a *Server) initRoutes() {
 	r := chi.NewRouter()

+	r.Use(secureMiddleware())
 	r.Use(cors.AllowAll().Handler)
 	r.Use(middleware.RequestID)
 	r.Use(middleware.RealIP)
@ -88,11 +89,3 @@ func (a *Server) initScanner() {
 		}
 	}()
 }
-
-func injectLogger(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx := r.Context()
-		ctx = log.NewContext(r.Context(), "requestId", ctx.Value(middleware.RequestIDKey))
-		next.ServeHTTP(w, r.WithContext(ctx))
-	})
-}