aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--echo/middleware/strict_secure.go10
1 files changed, 8 insertions, 2 deletions
diff --git a/echo/middleware/strict_secure.go b/echo/middleware/strict_secure.go
index 0b61b92..2705724 100644
--- a/echo/middleware/strict_secure.go
+++ b/echo/middleware/strict_secure.go
@@ -11,12 +11,18 @@ import (
11// the legacy nginx proxy defaults. 11// the legacy nginx proxy defaults.
12func StrictSecure() echo.MiddlewareFunc { 12func StrictSecure() echo.MiddlewareFunc {
13 return middleware.SecureWithConfig(middleware.SecureConfig{ 13 return middleware.SecureWithConfig(middleware.SecureConfig{
14 XFrameOptions: "SAMEORIGIN",
15 ContentTypeNosniff: "nosniff", 14 ContentTypeNosniff: "nosniff",
16 XSSProtection: "1; mode=block",
17 ReferrerPolicy: "same-origin", 15 ReferrerPolicy: "same-origin",
18 HSTSExcludeSubdomains: false, 16 HSTSExcludeSubdomains: false,
19 HSTSPreloadEnabled: true, 17 HSTSPreloadEnabled: true,
20 HSTSMaxAge: gltime.ToSeconds(2 * gltime.Year), 18 HSTSMaxAge: gltime.ToSeconds(2 * gltime.Year),
19
20 // No longer used, subsumed by the frame-source option of CSP:
21 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
22 XFrameOptions: "",
23
24 // Should never be used according to:
25 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
26 XSSProtection: "",
21 }) 27 })
22} 28}
© 2015 Mike Crute