GoBlog/httpMiddlewares.go

package main

import (
	"net/http"
	"net/url"

	"github.com/samber/lo"
	"github.com/tiptophelmet/cspolicy"
	"github.com/tiptophelmet/cspolicy/directives"
	"github.com/tiptophelmet/cspolicy/directives/constraint"
	"github.com/tiptophelmet/cspolicy/src"
)

func noIndexHeader(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("X-Robots-Tag", "noindex")
		next.ServeHTTP(w, r)
	})
}

func fixHTTPHandler(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		r.URL.RawPath = ""
		next.ServeHTTP(w, r)
	})
}

func headAsGetHandler(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method == http.MethodHead {
			// Clone request and change method
			newReq := new(http.Request)
			*newReq = *r
			newReq.Method = http.MethodGet
			// Serve new request
			next.ServeHTTP(w, newReq)
			return
		}
		next.ServeHTTP(w, r)
	})
}

func (a *goBlog) securityHeaders(next http.Handler) http.Handler {
	// Build CSP domains list
	allowedDomains := []string{}
	if mp := a.cfg.Micropub.MediaStorage; mp != nil && mp.MediaURL != "" {
		if u, err := url.Parse(mp.MediaURL); err == nil {
			allowedDomains = append(allowedDomains, u.Hostname())
		}
	}
	allowedDomains = append(allowedDomains, a.cfg.Server.CSPDomains...)
	defaultSrcList := []src.SourceVal{src.Self(), src.Scheme("blob:")}
	for _, d := range allowedDomains {
		defaultSrcList = append(defaultSrcList, src.Host(d))
	}
	imgSrcList := []src.SourceVal{src.Self(), src.Scheme("data:")}
	for _, d := range allowedDomains {
		imgSrcList = append(imgSrcList, src.Host(d))
	}
	fac := &constraint.FrameAncestorsConstraint{}
	fac.Sources(src.None())
	csp := cspolicy.Build(
		directives.DefaultSrc(defaultSrcList...),
		directives.ImgSrc(imgSrcList...),
		directives.FrameAncestors(fac),
	)
	// Return handler
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Strict-Transport-Security", "max-age=31536000;")
		w.Header().Set("Referrer-Policy", "no-referrer")
		w.Header().Set("X-Content-Type-Options", "nosniff")
		w.Header().Set("Content-Security-Policy", csp)
		next.ServeHTTP(w, r)
	})
}

func (a *goBlog) addOnionLocation(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if a.torAddress != "" {
			w.Header().Set("Onion-Location", a.torAddress+r.URL.RequestURI())
		}
		next.ServeHTTP(w, r)
	})
}

func keepSelectedQueryParams(paramsToKeep ...string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			query := r.URL.Query()
			for param := range query {
				if !lo.Contains(paramsToKeep, param) {
					query.Del(param)
				}
			}
			r.URL.RawQuery = query.Encode()
			next.ServeHTTP(w, r)
		})
	}
}
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`package main`

			`import (`
			`"net/http"`
			`"net/url"`
More pooled buffers and don't AP announce replies 2022-02-22 15:52:03 +00:00
Initial profile image support 2022-11-27 14:06:43 +00:00			`"github.com/samber/lo"`
Upgrade dependencies, use library for csp header, remove deprecated security-headers, add some tests 2024-04-16 17:21:55 +00:00			`"github.com/tiptophelmet/cspolicy"`
			`"github.com/tiptophelmet/cspolicy/directives"`
			`"github.com/tiptophelmet/cspolicy/directives/constraint"`
			`"github.com/tiptophelmet/cspolicy/src"`
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`)`

			`func noIndexHeader(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`w.Header().Set("X-Robots-Tag", "noindex")`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`func fixHTTPHandler(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`r.URL.RawPath = ""`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

Fix 405 on HEAD requests, improve webmention verification 2021-11-19 16:36:03 +00:00			`func headAsGetHandler(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method == http.MethodHead {`
Fix headAsGetHandler 2022-01-31 10:31:16 +00:00			`// Clone request and change method`
			`newReq := new(http.Request)`
			`newReq = r`
			`newReq.Method = http.MethodGet`
			`// Serve new request`
			`next.ServeHTTP(w, newReq)`
			`return`
Fix 405 on HEAD requests, improve webmention verification 2021-11-19 16:36:03 +00:00			`}`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`func (a *goBlog) securityHeaders(next http.Handler) http.Handler {`
			`// Build CSP domains list`
Upgrade dependencies, use library for csp header, remove deprecated security-headers, add some tests 2024-04-16 17:21:55 +00:00			`allowedDomains := []string{}`
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`if mp := a.cfg.Micropub.MediaStorage; mp != nil && mp.MediaURL != "" {`
			`if u, err := url.Parse(mp.MediaURL); err == nil {`
Upgrade dependencies, use library for csp header, remove deprecated security-headers, add some tests 2024-04-16 17:21:55 +00:00			`allowedDomains = append(allowedDomains, u.Hostname())`
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`}`
			`}`
Upgrade dependencies, use library for csp header, remove deprecated security-headers, add some tests 2024-04-16 17:21:55 +00:00			`allowedDomains = append(allowedDomains, a.cfg.Server.CSPDomains...)`
			`defaultSrcList := []src.SourceVal{src.Self(), src.Scheme("blob:")}`
			`for _, d := range allowedDomains {`
			`defaultSrcList = append(defaultSrcList, src.Host(d))`
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`}`
Upgrade dependencies, use library for csp header, remove deprecated security-headers, add some tests 2024-04-16 17:21:55 +00:00			`imgSrcList := []src.SourceVal{src.Self(), src.Scheme("data:")}`
			`for _, d := range allowedDomains {`
			`imgSrcList = append(imgSrcList, src.Host(d))`
			`}`
			`fac := &constraint.FrameAncestorsConstraint{}`
			`fac.Sources(src.None())`
			`csp := cspolicy.Build(`
			`directives.DefaultSrc(defaultSrcList...),`
			`directives.ImgSrc(imgSrcList...),`
			`directives.FrameAncestors(fac),`
			`)`
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`// Return handler`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`w.Header().Set("Strict-Transport-Security", "max-age=31536000;")`
			`w.Header().Set("Referrer-Policy", "no-referrer")`
			`w.Header().Set("X-Content-Type-Options", "nosniff")`
Make security headers stricter 2023-04-05 06:22:44 +00:00			`w.Header().Set("Content-Security-Policy", csp)`
Fix Tor header on media requests 2021-08-02 19:10:38 +00:00			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`func (a *goBlog) addOnionLocation(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Add option to set extra address for media 2021-08-02 18:43:24 +00:00			`if a.torAddress != "" {`
Initial profile image support 2022-11-27 14:06:43 +00:00			`w.Header().Set("Onion-Location", a.torAddress+r.URL.RequestURI())`
Reduce complexity of router build method 2021-07-27 10:51:08 +00:00			`}`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
Initial profile image support 2022-11-27 14:06:43 +00:00
			`func keepSelectedQueryParams(paramsToKeep ...string) func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`query := r.URL.Query()`
			`for param := range query {`
			`if !lo.Contains(paramsToKeep, param) {`
			`query.Del(param)`
			`}`
			`}`
			`r.URL.RawQuery = query.Encode()`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`