blob: 2705724aab277c37ce955d30ec99d5204933b6f0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
package middleware
import (
gltime "code.crute.us/mcrute/golib/time"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
// StrictSecure returns a Secure middleware with strict settings which match
// the legacy nginx proxy defaults.
func StrictSecure() echo.MiddlewareFunc {
return middleware.SecureWithConfig(middleware.SecureConfig{
ContentTypeNosniff: "nosniff",
ReferrerPolicy: "same-origin",
HSTSExcludeSubdomains: false,
HSTSPreloadEnabled: true,
HSTSMaxAge: gltime.ToSeconds(2 * gltime.Year),
// No longer used, subsumed by the frame-source option of CSP:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
XFrameOptions: "",
// Should never be used according to:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
XSSProtection: "",
})
}
|
