mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-15 20:38:00 +00:00
632639ae7f
* feat: enable iframe use * cleanup * fix mocks * fix linting * docs: add iframe usage to solution scenarios configurations * improve api * feat(console): security policy * description * remove unnecessary line * disable input button and urls when not enabled * add image to docs Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
105 lines
2.6 KiB
Go
105 lines
2.6 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"net/http"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
http_utils "github.com/zitadel/zitadel/internal/api/http"
|
|
)
|
|
|
|
type securityKey int
|
|
|
|
const (
|
|
nonceKey securityKey = 0
|
|
|
|
DefaultNonceLength = uint(32)
|
|
)
|
|
|
|
func SecurityHeaders(csp *CSP, errorHandler func(error) http.Handler, nonceLength ...uint) func(http.Handler) http.Handler {
|
|
return func(handler http.Handler) http.Handler {
|
|
if csp == nil {
|
|
csp = &DefaultSCP
|
|
}
|
|
length := DefaultNonceLength
|
|
if len(nonceLength) > 0 {
|
|
length = nonceLength[0]
|
|
}
|
|
return &headers{
|
|
csp: csp,
|
|
handler: handler,
|
|
errorHandler: errorHandler,
|
|
nonceLength: length,
|
|
}
|
|
}
|
|
}
|
|
|
|
type headers struct {
|
|
csp *CSP
|
|
handler http.Handler
|
|
errorHandler func(err error) http.Handler
|
|
nonceLength uint
|
|
}
|
|
|
|
func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
nonce := GetNonce(r)
|
|
if nonce == "" {
|
|
var err error
|
|
nonce, err = generateNonce(h.nonceLength)
|
|
if err != nil {
|
|
errorHandler := h.errorHandler
|
|
if errorHandler == nil {
|
|
errorHandler = func(err error) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
})
|
|
}
|
|
}
|
|
errorHandler(err).ServeHTTP(w, r)
|
|
return
|
|
}
|
|
r = saveContext(r, nonceKey, nonce)
|
|
}
|
|
allowedHosts := authz.GetInstance(r.Context()).SecurityPolicyAllowedOrigins()
|
|
headers := w.Header()
|
|
headers.Set(http_utils.ContentSecurityPolicy, h.csp.Value(nonce, r.Host, allowedHosts))
|
|
headers.Set(http_utils.XXSSProtection, "1; mode=block")
|
|
headers.Set(http_utils.StrictTransportSecurity, "max-age=31536000; includeSubDomains")
|
|
if len(allowedHosts) == 0 {
|
|
headers.Set(http_utils.XFrameOptions, "DENY")
|
|
}
|
|
headers.Set(http_utils.XContentTypeOptions, "nosniff")
|
|
headers.Set(http_utils.ReferrerPolicy, "same-origin")
|
|
headers.Set(http_utils.FeaturePolicy, "payment 'none'")
|
|
headers.Set(http_utils.PermissionsPolicy, "payment=()")
|
|
//PLANNED: add expect-ct
|
|
|
|
h.handler.ServeHTTP(w, r)
|
|
}
|
|
|
|
func GetNonce(r *http.Request) string {
|
|
nonce, _ := getContext(r, nonceKey).(string)
|
|
return nonce
|
|
}
|
|
|
|
func generateNonce(length uint) (string, error) {
|
|
b := make([]byte, length)
|
|
_, err := rand.Read(b)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return base64.StdEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
func saveContext(r *http.Request, key, value interface{}) *http.Request {
|
|
ctx := context.WithValue(r.Context(), key, value)
|
|
return r.WithContext(ctx)
|
|
}
|
|
|
|
func getContext(r *http.Request, key interface{}) interface{} {
|
|
return r.Context().Value(key)
|
|
}
|