authenticate: add CSP headers to this service only (#120)

2025-06-02 19:04:14 +02:00 · 2019-05-14 22:29:24 -07:00 · 2019-05-14 22:29:24 -07:00 · 27d4683662
commit 27d4683662
parent cfac5f10ff
3 changed files with 13 additions and 8 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -15,17 +15,24 @@ import (
 	"github.com/pomerium/pomerium/internal/version"
 )

+// CSPHeaders adds content security headers for authenticate's handlers
+var CSPHeaders = map[string]string{
+	"Content-Security-Policy": "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
+	"Referrer-Policy":         "Same-origin",
+}
+
 // Handler returns the authenticate service's HTTP request multiplexer, and routes.
 func (a *Authenticate) Handler() http.Handler {
 	// validation middleware chain
-	validate := middleware.NewChain()
-	validate = validate.Append(middleware.ValidateSignature(a.SharedKey))
+	c := middleware.NewChain()
+	c = c.Append(middleware.SetHeaders(CSPHeaders))
+	validate := c.Append(middleware.ValidateSignature(a.SharedKey))
 	validate = validate.Append(middleware.ValidateRedirectURI(a.RedirectURL))
 	mux := http.NewServeMux()
-	mux.HandleFunc("/robots.txt", a.RobotsTxt)
+	mux.Handle("/robots.txt", c.ThenFunc(a.RobotsTxt))
 	// Identity Provider (IdP) callback endpoints and callbacks
-	mux.HandleFunc("/start", a.OAuthStart)
-	mux.HandleFunc("/oauth2/callback", a.OAuthCallback)
+	mux.Handle("/start", c.ThenFunc(a.OAuthStart))
+	mux.Handle("/oauth2/callback", c.ThenFunc(a.OAuthCallback))
 	// authenticate-server endpoints
 	mux.Handle("/sign_in", validate.ThenFunc(a.SignIn))
 	mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // GET POST
--- a/cmd/pomerium/options.go
+++ b/cmd/pomerium/options.go
@ -68,8 +68,6 @@ var defaultOptions = &Options{
 		"X-Frame-Options":           "SAMEORIGIN",
 		"X-XSS-Protection":          "1; mode=block",
 		"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
-		"Content-Security-Policy":   "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
-		"Referrer-Policy":           "Same-origin",
 	},
 }

--- a/docs/docs/certificates.md
+++ b/docs/docs/certificates.md
@ -20,7 +20,7 @@ It should be noted that there are countless ways of building and managing [publi

 ::: warning

-LetsEncrypt certificates certificates must be renewed [every 90 days](https://letsencrypt.org/2015/11/09/why-90-days.html).
+LetsEncrypt certificates must be renewed [every 90 days](https://letsencrypt.org/2015/11/09/why-90-days.html).

 :::