diff options
Diffstat (limited to 'echo/middleware/strict_secure.go')
-rw-r--r-- | echo/middleware/strict_secure.go | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/echo/middleware/strict_secure.go b/echo/middleware/strict_secure.go index 0b61b92..2705724 100644 --- a/echo/middleware/strict_secure.go +++ b/echo/middleware/strict_secure.go | |||
@@ -11,12 +11,18 @@ import ( | |||
11 | // the legacy nginx proxy defaults. | 11 | // the legacy nginx proxy defaults. |
12 | func StrictSecure() echo.MiddlewareFunc { | 12 | func StrictSecure() echo.MiddlewareFunc { |
13 | return middleware.SecureWithConfig(middleware.SecureConfig{ | 13 | return middleware.SecureWithConfig(middleware.SecureConfig{ |
14 | XFrameOptions: "SAMEORIGIN", | ||
15 | ContentTypeNosniff: "nosniff", | 14 | ContentTypeNosniff: "nosniff", |
16 | XSSProtection: "1; mode=block", | ||
17 | ReferrerPolicy: "same-origin", | 15 | ReferrerPolicy: "same-origin", |
18 | HSTSExcludeSubdomains: false, | 16 | HSTSExcludeSubdomains: false, |
19 | HSTSPreloadEnabled: true, | 17 | HSTSPreloadEnabled: true, |
20 | HSTSMaxAge: gltime.ToSeconds(2 * gltime.Year), | 18 | HSTSMaxAge: gltime.ToSeconds(2 * gltime.Year), |
19 | |||
20 | // No longer used, subsumed by the frame-source option of CSP: | ||
21 | // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
22 | XFrameOptions: "", | ||
23 | |||
24 | // Should never be used according to: | ||
25 | // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | ||
26 | XSSProtection: "", | ||
21 | }) | 27 | }) |
22 | } | 28 | } |