Secure

Secure middleware provides protection against cross-site scripting (XSS) attack,
content type sniffing, clickjacking, insecure connection and other code injection
attacks.

Usage

e.Use(middleware.Secure())

Custom Configuration

Usage

  1. e := echo.New()
  2. e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
  3. XSSProtection: "",
  4. ContentTypeNosniff: "",
  5. XFrameOptions: "",
  6. HSTSMaxAge: 3600,
  7. ContentSecurityPolicy: "default-src 'self'",
  8. }))

Passing empty XSSProtection, ContentTypeNosniff, XFrameOptions or ContentSecurityPolicy
disables that protection.

Configuration

  1. SecureConfig struct {
  2. // Skipper defines a function to skip middleware.
  3. Skipper Skipper
  4. // XSSProtection provides protection against cross-site scripting attack (XSS)
  5. // by setting the `X-XSS-Protection` header.
  6. // Optional. Default value "1; mode=block".
  7. XSSProtection string `json:"xss_protection"`
  8. // ContentTypeNosniff provides protection against overriding Content-Type
  9. // header by setting the `X-Content-Type-Options` header.
  10. // Optional. Default value "nosniff".
  11. ContentTypeNosniff string `json:"content_type_nosniff"`
  12. // XFrameOptions can be used to indicate whether or not a browser should
  13. // be allowed to render a page in a <frame>, <iframe> or <object> .
  14. // Sites can use this to avoid clickjacking attacks, by ensuring that their
  15. // content is not embedded into other sites.provides protection against
  16. // clickjacking.
  17. // Optional. Default value "SAMEORIGIN".
  18. // Possible values:
  19. // - "SAMEORIGIN" - The page can only be displayed in a frame on the same origin as the page itself.
  20. // - "DENY" - The page cannot be displayed in a frame, regardless of the site attempting to do so.
  21. // - "ALLOW-FROM uri" - The page can only be displayed in a frame on the specified origin.
  22. XFrameOptions string `json:"x_frame_options"`
  23. // HSTSMaxAge sets the `Strict-Transport-Security` header to indicate how
  24. // long (in seconds) browsers should remember that this site is only to
  25. // be accessed using HTTPS. This reduces your exposure to some SSL-stripping
  26. // man-in-the-middle (MITM) attacks.
  27. // Optional. Default value 0.
  28. HSTSMaxAge int `json:"hsts_max_age"`
  29. // HSTSExcludeSubdomains won't include subdomains tag in the `Strict Transport Security`
  30. // header, excluding all subdomains from security policy. It has no effect
  31. // unless HSTSMaxAge is set to a non-zero value.
  32. // Optional. Default value false.
  33. HSTSExcludeSubdomains bool `json:"hsts_exclude_subdomains"`
  34. // ContentSecurityPolicy sets the `Content-Security-Policy` header providing
  35. // security against cross-site scripting (XSS), clickjacking and other code
  36. // injection attacks resulting from execution of malicious content in the
  37. // trusted web page context.
  38. // Optional. Default value "".
  39. ContentSecurityPolicy string `json:"content_security_policy"`
  40. }

Default Configuration

  1. DefaultSecureConfig = SecureConfig{
  2. Skipper: DefaultSkipper,
  3. XSSProtection: "1; mode=block",
  4. ContentTypeNosniff: "nosniff",
  5. XFrameOptions: "SAMEORIGIN",
  6. }