go-safeweb
go-safeweb copied to clipboard
google
Secure-by-default HTTP servers in Go.
As of today interceptors default are constructed in various different ways: * `NewPlugin` for `fetchmetadata` * `Default` for `coop` and `csp` * Just an `Interceptor` literal for `staticheaders` * A...
We currently know that if `fmt.Printf` is banned, one cannot directly call `fmt.Printf()`. But does the following snippet bypass the check? ``` x := fmt.Printf x("hey") ```
### Issue Currently any HTML file served as a static file will not run any JS, as we do not inject nonces in static files. We should provide a way...
Currently "Dispatcher" conveys the meaning of something that moves the responses to the output, that dispatches Write calls to response writers. What it does not convey is that it has...
When we have multiple interceptors installed on the `ServeMux` and one of them panics, what happens? Should `After/Commit` stages be run? Which ones? In which order? And so on. This...
As much as we are relying on the typesystem to do the heavy lifting, we should create linters for some things: * ban imports (with an allowlist for exceptions) e.g....
Goal: Provide a way for developers to install (1) all the plugins needed for a secure web app, and (2) the plugins that work for their setup. Example: We have...
Currently we install the htmlxsrf protection by default, we should provide a way to use the Angular one instead.