I'm trying to use unrolled secure for CSP support, but I'm finding the static configuration a little inflexible when trying to configure for websockets. Would there be interest in a new configuration option to support websockets in the connect-src option that was slightly more dynamic?

for websockets the policy looks like connect-src wss://theserver. Since the configuration is statically configured at middleware construction time, and it's hard to know what IP the server is actually serving from until runtime; especially with reverse proxys and containers, etc, this makes it hard to achieve with the current middleware.

Options:

1. write a new middleware and not use the CSP option in unrolled/secure
2. write code which allows dynamic insertion of WSS/WS using the incoming request's Host value.

Would there be interest in take a PR which implemented something like option 2? or should I just go with something like option 1?

Thanks for writing a very useful middleware!

Thanks for maintaining this package.

Any chance we can get a release tag for 2021? I'm trying to implement the PermissionsPolicy header but it is still called FeaturePolicy in v1.0.8.

Becuase the context key:
https://github.com/unrolled/secure/blob/v1/secure.go#L30

Is static, it does not allow for multiple secure instances to act in series, as the second will overwrite the key from the first.

@unrolled, Do you have any qualms with me implementing an overrideable context key to allow chaining instances?

The issue we are encountering is we want to define an instance to configure just https redirection, and then another instance just to handle csp etc, and be more modular.

This doesn't work currently, and we would like to make it work.

Hello there
i have a problem with SSLRedirect, the problem is that i only serve a TLS instance with
http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", n)
and no plain istance.

Visiting localhost:8443 it doesn't redirect me to https://localhost:8443
And in console i get
2017/10/18 17:27:13 http: TLS handshake error from [::1]:39118: tls: first record does not look like a TLS handshake

There is another solution instead of starting a plain instance?

As defined in https://www.w3.org/TR/permissions-policy-1/

The "Referrer-Policy" header is recently introduced and adds support for global restrictions on referrer leakage. It would probably be useful to add support for it here! It's recently been added to the https://securityheaders.io testing website, with a corresponding blog post [1]. Is this something you would be open to?

[1] https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Hello,

I am proxied behind Cloudflare. I Set SSLHost to a number of variations of "https://url.example.co.uk", "https://url.example.co.uk/", "url.example.co.uk", but I keep getting "bad host" at my staging environment.

I should note that my dev environment is working fine, but that's because I've set the IsDevelopment param to true.

I don't think I had this issue before proxying via CloudFlare, so now I am wondering whether that may have caused it. I have also passed all URLs of my project to "AllowedHosts", so technically that should work.

I am slightly lost and was wondering whether you may be able to offer some help. Thanks!

Can we have an Option to pass a function that if set, assigns the allowedHosts list to the list returned by such a function?

ex.

in secure.go

// AllowedHostsFunc a custom function type that returns a list of strings used in place of AllowedHosts list
type AllowedHostsFunc func() []string

...

type Options struct {
  ...
 	AllowedHostsFunc AllowedHostsFunc
  ...
}

   ...
// Allowed hosts check.
	if s.opt.AllowedHostsFunc != nil {
		s.opt.AllowedHosts = s.opt.AllowedHostsFunc()
	}

	if len(s.opt.AllowedHosts) > 0 && !s.opt.IsDevelopment {
   ...

I wrote some tests and seems to satisfy what I need, which is dynamically fetching cached hosts list

is will support this?

I'm currently trying to implement the new (and awesome) dynamic CSP nonce feature to work, but I think I'm doing something wrong.

I created a secure.Options struct with the following params:
secureMiddlewareOptions := secure.Options{ ContentSecurityPolicy: "script-src $NONCE", }

I then add the created middleware to my main negroni route:
secureMiddleware := secure.New(secureMiddlewareOptions) n.Use(negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext))

The Content-Security-Policy header is added correctly, and the $NONCE is replaced. But instead of replacing it with a random CSP "string" nothing is added. The result looks like this:
Content-Security-Policy:script-src 'nonce-'.

Did I overlook something? Thanks for your help.

Using this code to set up our secure:
securer := secure.Secure(secure.Options{
SSLRedirect: strings.ToLower(os.Getenv("FORCE_SSL")) == "true",
SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"},
STSSeconds: 315360000,
STSIncludeSubdomains: true,
FrameDeny: true,
ContentTypeNosniff: true,
BrowserXssFilter: true,
})

Always getting 500 errors on HEAD requests to http://[website] when it tries to redirect to https. Is this a known issue? Is there some configuration to get around this? Thanks!

I noticed that in the docs, the value of HSTS is 315360000 seconds which equals to 10 years. In most implementations that I have seen it's just 31536000 which is 1 year. Is this a typo? I can do a quick PR for a fix if needed.

A proxy like Apache transmits certain information over headers when in a reverse proxy configuration [1]. Currently, this repo supports the use of custom headers for detecting when SSL is enabled, via the SSLProxyHeaders option, but this functionality is not present for the AllowedHosts option.

I'm planning to submit a PR for this shortly.

[1] https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers

Worth adding support for Access-Control-Allow-Origin headers? Perhaps even reusing the AllowedHost list?

Hello,

Here is the issue I am encountering:

We have a request that is passed to secure that has been modified by other middleware. The path has been modified, and therefore when passed to secure, the incorrect response is generated.

The solution as far as I see it, is to "unmodify" the path, pass the request to secure, then "remodify" the path after secure has processed the request, but before it passes to next. The issue I am encountering with secure is that processRequest is not exported, and therefore cannot be used by my package.

I am essentially trying to write my own HandlerFuncForRequestOnly (https://github.com/unrolled/secure/blob/v1/secure.go#L183).
Do you think that processRequest could be exported?

Or do you think that we could have a mirrored ProcessNoModifyRequest similar to Process that returns the responseHeaders? something like this:

// ProcessNoModifyRequest runs the actual checks but does not write the headers in the ResponseWriter.
func (s *Secure) ProcessNoModifyRequest(w http.ResponseWriter, r *http.Request) (http.Header, error) {
	return s.processRequest(w, r)
}

Thoughts?

This is the error report: verifying github.com/unrolled/[email protected]: github.com/unrolled/[email protected]: reading https://goproxy.io/sumdb/sum.golang.org/lookup/github.com/unrolled/[email protected]: 410 Gone

Hi, I am seeking to redirect from HTTP to HTTPS, usually the browser may complain that mix-content after redirecting since the original page contains some static http link. Then I saw "Content-Security-Policy: upgrade-insecure-requests" could help from this article.

From the example in this README, I saw it could do the redirection and also there is CSP option, but when I try it out, it can work with redirection but there is no CSP option seen in the http header, what is wrong?

Thanks

Hi @unrolled, as per your suggestion I've put up an alternative CSP middleware that allows dynamic host configuration for the CSP headers. You can find it here:

https://github.com/awakenetworks/csp

Hopefully others with complex CSP requirements will find it useful.

When SSL is enabled the Location response header is not replaced to HTTPS, causing an unnecessary redirect.

hi

we have health check on server which check the server for uptime,
but with forced https, it causes issue.
anyway to allow ignore redirect if either X-Forwarded-Proto is empty or not set
or AllowedHosts is not in the list?

The following are valid values for the X-XSS-Protection header:

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

Setting BrowserXssFilter to true gives the header the value 1; mode=block, but does not allow for setting it as 1 or 1; report=<reporting-uri>.

It would be nice if there is the possibility of setting it to these values: 1 or 1; report=<reporting-uri>.

According to the README one should use secure with Gin using the Process function. However it doesn't implement the nonce generation like the Handler function.

Should I use one of the Handler functions? If so, how?

Hi

Great work. Thanks for this awesome middleware.

Can I send a PR for adding dynamic CSP nonce?

Proposed Implementation would extend the current solution without breaking anything

Now
ContentSecurityPolicy: "script-src 'self'"

Proposed Solution

ContentSecurityPolicy: "script-src 'self' {{ . }}"

Will use Go's template/text package to change this to to a fmt string i.e. script-src 'self' 'nonce-%s' then use this to send headers on every request with a unique nonce for each request.

Add a new Nonce(r *http.Request) function globally to get the nonce for the present request which can be later used to add nonce to scripts like,

<script nonce="2726c7f26c"> var inline = 1; </script>

There can also a nonce length property.

HPKP was deprecated in 2018.

HPKP was to be replaced by the reactive Certificate Transparency framework coupled with the Expect-CT header but as of today, the Expect-CT header is obsolete.

Chrome requires Certificate Transparency for all publicly trusted certificates issued after April 30, 2018. View ref

go.mod refers to github.com/codegangsta/negroni, but the repo is now named github.com/urfave/negroni

Hello,

Not entirely an issues, but rather a question of use. Could I use this library to strengthen security of access for a publicly facing REST API microservice?

Also, once implemented, is there is a way to validate options manually that they are enabled and properly functioning?

Regards,
Max

The commit 624f918

Avoids an extra redirect by modifying the scheme on the location response header.

However, it does not check that the location referred to in the header is SSLHost.

In effect, it rewrites all location responses to https, even if the proxy implementing unrolled/secure is not handling the domain.

It prevents redirecting to third party http URLs.

The modification should also not rewrite the scheme if there is a port defined in the response header.

Related issue: traefik/traefik#5807

PR Incoming

Forcing HTTPS on all subdomains for 10 years is a dangerous to show on the first example. There should probably be some kind of warning about HSTS - that once you add them and user's browsers accept them, they can't be removed. If this Go server is handling all subdomains, then it'll probably be fine, but many people will have CNAMEs pointing elsewhere for various hosted services, etc.

Could you add an example for the chi library? Thanks.

Please add support for the Expect-CT header. This header allows site admins to get reports from browsers if a received certificated doesn't contain valid Certificate Transparency information. Since CT is now required by all modern browsers this can help admins detect some misconfigurations.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
https://scotthelme.co.uk/a-new-security-header-expect-ct/

The header is already checked (but not scored) by securityheaders.io.

When s.processRequest returns an error, newR is nil, and newR.Context() panics

Hi, I used your redirecting example and I am interested in knowing if it is SAFE to add more headers to secureMiddleware of your example or not? I am very new to security in Go. The thing is that your approach shows that we create one secureMiddleware and pass it to ListenAndServe go routine as well as ListenAndServeTLS.

What if, I do the same thing but add more header to that secureMiddleware? Is this a possibility that hackers somehow get to understand that we are redirected from http to https and therefore we can get into the http version of the server (because I am passing the main gorilla router to ListenAndServe). Does something like this happen?

And what about future links we visit on the site after first redirection? ListenAndServe was used only once when we typed url without https (I am on development right now). I still want to confirm as I am not sure.

Below is my current main function for your reference:

func main() {

	// HTTPS certificate files
	certPath := "server.pem"
	keyPath := "server.key"

	// secure middleware
	secureMiddleware := secure.New(secure.Options{
		AllowedHosts:         []string{"localhost"},
		HostsProxyHeaders:    []string{"X-Forwarded-Host"},
		SSLRedirect:          true,
		SSLHost:              "localhost:443",
		SSLProxyHeaders:      map[string]string{"X-Forwarded-Proto": "https"},
		STSSeconds:           63072000,
		STSIncludeSubdomains: true,
		STSPreload:           true,
		ForceSTSHeader:       false,
		FrameDeny:            true,
		ContentTypeNosniff:   true,
		BrowserXssFilter:     true,
		// I need to change it as Content-Security-Policy: default-src 'self' *.trusted.com if I want to load images from S3 bucket (See - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
		// ContentSecurityPolicy: "default-src 'self'",
		PublicKey:      `pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubdomains; report-uri="https://www.example.com/hpkp-report"`,
		ReferrerPolicy: "same-origin",
		// IsDevelopment:         true,
	})

	// Setting up logging files in append mode
	common.SetupLogging()
	common.Log.Info("On line 35 certPath and keyPath")

	// Setting up mongodb
	mongodb, err := datastore.NewDatastore(datastore.MONGODB, "localhost:27017")
	if err != nil {
		common.Log.Warn(err.Error())
	}
	defer mongodb.Close()

	// Passing mongodb to environment variable
	env := common.Env{DB: mongodb}
	common.Log.Info("On line 44")

	// Router and routes
	r := mux.NewRouter()
	r.Handle("/", handlers.Handler{E: &env, H: handlers.Index}).Methods("GET")

	// Middleware and server
	commonMiddleware := handlers.RecoveryHandler(handlers.PrintRecoveryStack(true))(gh.CombinedLoggingHandler(common.TrafficLog, secureMiddleware.Handler(r)))
	common.Log.Info("On line 49")

	sTLS := &http.Server{
		Addr:           ":443",
		Handler:        commonMiddleware,
		ReadTimeout:    10 * time.Second,
		WriteTimeout:   10 * time.Second,
		MaxHeaderBytes: 1 << 20,
	}

	common.Log.Info("Serving...")

	go func() {
		log.Fatal(http.ListenAndServe(":80", commonMiddleware))
	}()

	log.Fatal(sTLS.ListenAndServeTLS(certPath, keyPath))
}

Or, should we have one secureMiddleware and one redirectMiddleware; the redirectMiddleware will be exactly like the one in your HTTP to HTTPS redirection example in readme. And, pass this redirectMiddleware to ListenAndServe with the main router (in my case r).

Please clarify. And, if we can use same secureMiddleware then I would prefer we add comments stating something like "// you can have more headers here" in the secureMiddleware of redirection example.

我把gin代码示例里的端口改成443端口，然后访问不了，说找不到网页。

Content Security policies can be a long and complex string. Is it worth creating a simple function/struct/builder to make constructing these easier, and in a less error prone way? Something like:

secure.Options{
  ContentSecurityPolicy: secure.ContentSecurityPolicy{
    DefaultSrc: ["self"],
    ScriptSrc: ["self", "www.google-analytics.com"]
  }
}

In my opinion, the if clause for the host check should rather be implemented with a regular expression, since e.g. wildcards are often used to allow subdomains.

What's your point of view on this issue? Should I open a pull request?

Hello, am a graphic designer. Will you be interested in me contributing a logo to your repo project? I would make it for you free, that's if you are interested.

Hello, I am trying to access the generated NONCE using Gin:

nonce := secure.CSPNonce(c.Request.Context())

This always returns an empty string, even tho the nonce appears on the request headers, digging the code I see the nonce beeing added to the request context (I am using the example on the README), but I cant seem to get it properly, here is a more complete example:

func Home(c *gin.Context) {
	c.HTML(http.StatusOK, "home.html", gin.H{
		"nonce":   secure.CSPNonce(c.Request.Context()),
	})
}

func secureFunc(config *app.Config) gin.HandlerFunc {
	// Create secure middleware
	secureMiddleware := secure.New(secure.Options{
		FrameDeny:            true,
		BrowserXssFilter:     true,
		ReferrerPolicy:       "no-referrer",
		ContentTypeNosniff:   true,
		AllowedHostsAreRegex: false,
		SSLRedirect:          !config.DebugMode,
		SSLTemporaryRedirect: false,
		STSSeconds:           31536000,
		ContentSecurityPolicy: fmt.Sprintf(
			"script-src %s",
			"'self' $NONCE",
		),
		IsDevelopment: config.DebugMode,
	})

	return func(c *gin.Context) {
		if err := secureMiddleware.Process(c.Writer, c.Request); err != nil {
			c.AbortWithError(http.StatusInternalServerError, err)
			return
		}

		// Avoid header rewrite if response is a redirection
		if status := c.Writer.Status(); status > 300 && status < 399 {
			c.Abort()
		}
	}
}

Clearly the nonceEnabled should be true (https://github.com/unrolled/secure/blob/v1/secure.go#L248) but the value is not there, I am missing something?

Any ideas?

Thanks