3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-09 06:12:42 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: add CSP headers to this service only (#120)

Browse source
This commit is contained in:
Bobby DeSimone 2019-05-14 22:29:24 -07:00 committed by GitHub
parent cfac5f10ff
commit 27d4683662
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
authenticate/handlers.go
View file

@ -15,17 +15,24 @@ import (
"github.com/pomerium/pomerium/internal/version" "github.com/pomerium/pomerium/internal/version"
) )
// CSPHeaders adds content security headers for authenticate's handlers
var CSPHeaders = map[string]string{
"Content-Security-Policy": "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
"Referrer-Policy": "Same-origin",
}
// Handler returns the authenticate service's HTTP request multiplexer, and routes. // Handler returns the authenticate service's HTTP request multiplexer, and routes.
func (a *Authenticate) Handler() http.Handler { func (a *Authenticate) Handler() http.Handler {
// validation middleware chain // validation middleware chain
validate := middleware.NewChain() c := middleware.NewChain()
validate = validate.Append(middleware.ValidateSignature(a.SharedKey)) c = c.Append(middleware.SetHeaders(CSPHeaders))
validate := c.Append(middleware.ValidateSignature(a.SharedKey))
validate = validate.Append(middleware.ValidateRedirectURI(a.RedirectURL)) validate = validate.Append(middleware.ValidateRedirectURI(a.RedirectURL))
mux := http.NewServeMux() mux := http.NewServeMux()
mux.HandleFunc("/robots.txt", a.RobotsTxt) mux.Handle("/robots.txt", c.ThenFunc(a.RobotsTxt))
// Identity Provider (IdP) callback endpoints and callbacks // Identity Provider (IdP) callback endpoints and callbacks
mux.HandleFunc("/start", a.OAuthStart) mux.Handle("/start", c.ThenFunc(a.OAuthStart))
mux.HandleFunc("/oauth2/callback", a.OAuthCallback) mux.Handle("/oauth2/callback", c.ThenFunc(a.OAuthCallback))
// authenticate-server endpoints // authenticate-server endpoints
mux.Handle("/sign_in", validate.ThenFunc(a.SignIn)) mux.Handle("/sign_in", validate.ThenFunc(a.SignIn))
mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // GET POST mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // GET POST

2
cmd/pomerium/options.go
View file

@ -68,8 +68,6 @@ var defaultOptions = &Options{
"X-Frame-Options": "SAMEORIGIN", "X-Frame-Options": "SAMEORIGIN",
"X-XSS-Protection": "1; mode=block", "X-XSS-Protection": "1; mode=block",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload", "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
"Content-Security-Policy": "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
"Referrer-Policy": "Same-origin",
}, },
} }

2
docs/docs/certificates.md
View file

@ -20,7 +20,7 @@ It should be noted that there are countless ways of building and managing [publi
::: warning ::: warning
LetsEncrypt certificates certificates must be renewed [every 90 days](https://letsencrypt.org/2015/11/09/why-90-days.html). LetsEncrypt certificates must be renewed [every 90 days](https://letsencrypt.org/2015/11/09/why-90-days.html).
::: :::