Secure Middleware

Secure middleware provides protection against cross-site scripting (XSS) attack,content type sniffing, clickjacking, insecure connection and other code injectionattacks.

Usage

e.Use(middleware.Secure())

Custom Configuration

Usage

  1. e := echo.New()
  2. e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
  3.     XSSProtection:         "",
  4.     ContentTypeNosniff:    "",
  5.     XFrameOptions:         "",
  6.     HSTSMaxAge:            3600,
  7.     ContentSecurityPolicy: "default-src 'self'",
  8. }))

Passing empty XSSProtection, ContentTypeNosniff, XFrameOptions or ContentSecurityPolicydisables that protection.

Configuration

  1. SecureConfig struct {
  2.   // Skipper defines a function to skip middleware.
  3.   Skipper Skipper
  5.   // XSSProtection provides protection against cross-site scripting attack (XSS)
  6.   // by setting the `X-XSS-Protection` header.
  7.   // Optional. Default value "1; mode=block".
  8.   XSSProtection string `yaml:"xss_protection"`
  10.   // ContentTypeNosniff provides protection against overriding Content-Type
  11.   // header by setting the `X-Content-Type-Options` header.
  12.   // Optional. Default value "nosniff".
  13.   ContentTypeNosniff string `yaml:"content_type_nosniff"`
  15.   // XFrameOptions can be used to indicate whether or not a browser should
  16.   // be allowed to render a page in a <frame>, <iframe> or <object> .
  17.   // Sites can use this to avoid clickjacking attacks, by ensuring that their
  18.   // content is not embedded into other sites.provides protection against
  19.   // clickjacking.
  20.   // Optional. Default value "SAMEORIGIN".
  21.   // Possible values:
  22.   // - "SAMEORIGIN" - The page can only be displayed in a frame on the same origin as the page itself.
  23.   // - "DENY" - The page cannot be displayed in a frame, regardless of the site attempting to do so.
  24.   // - "ALLOW-FROM uri" - The page can only be displayed in a frame on the specified origin.
  25.   XFrameOptions string `yaml:"x_frame_options"`
  27.   // HSTSMaxAge sets the `Strict-Transport-Security` header to indicate how
  28.   // long (in seconds) browsers should remember that this site is only to
  29.   // be accessed using HTTPS. This reduces your exposure to some SSL-stripping
  30.   // man-in-the-middle (MITM) attacks.
  31.   // Optional. Default value 0.
  32.   HSTSMaxAge int `yaml:"hsts_max_age"`
  34.   // HSTSExcludeSubdomains won't include subdomains tag in the `Strict Transport Security`
  35.   // header, excluding all subdomains from security policy. It has no effect
  36.   // unless HSTSMaxAge is set to a non-zero value.
  37.   // Optional. Default value false.
  38.   HSTSExcludeSubdomains bool `yaml:"hsts_exclude_subdomains"`
  40.   // ContentSecurityPolicy sets the `Content-Security-Policy` header providing
  41.   // security against cross-site scripting (XSS), clickjacking and other code
  42.   // injection attacks resulting from execution of malicious content in the
  43.   // trusted web page context.
  44.   // Optional. Default value "".
  45.   ContentSecurityPolicy string `yaml:"content_security_policy"`
  46. }

Default Configuration

  1. DefaultSecureConfig = SecureConfig{
  2.   Skipper:            DefaultSkipper,
  3.   XSSProtection:      "1; mode=block",
  4.   ContentTypeNosniff: "nosniff",
  5.   XFrameOptions:      "SAMEORIGIN",
  6. }