go-safeweb
go-safeweb copied to clipboard
google
Secure-by-default HTTP servers in Go.
https://owasp.org/www-community/attacks/Path_Traversal Check the behavior of the Go's standard library file server functions, like: - [`http.FileServer`](https://godoc.org/net/http#FileServer) - [`http.ServeFile`](https://godoc.org/net/http#ServeFile)
We currently support CSP frame-ancestors as a framing protection. We should also send the X-Frame-Options as a fallback option for older browsers.
# CORP `Cross-Origin-Resource-Policy` needs to be set to same-origin on all responses that are not protected by the CORS plugin (those should get a cross-origin value instead). There should be...
Currently we mandate people to use `http.ServeMux`, but we might want to think about a way to allow people to use their own routers.
This error might confuse developers on a solution due to that error message. - [x] Tests pass
This is important for XSRF double-submit cookies and for other [potential non-security related breakages](https://drupal.stackexchange.com/questions/25271/what-does-the-vary-cookie-header-actually-do-for-serving-pages-from-varnish). Note: we cannot claim `Vary` but we should just add the value.
It is currently possible to use the default dispatcher to write JSON, templated HTML and static HTML. It would be beneficial to add one more type to allow text/plain strings...
Currently the `ReponseWriter.Redirect` method still checks whether the given status code is in the right range. We have removed this check for `WriteError` and should remove it for `Redirect` to.
https://godoc.org/golang.org/x/net/xsrftoken is problematic from a secure-design perspective: * It takes a raw key as a String parameter, which tends to lead to application code with poor key management practices (hard-coded...
See design [here](https://github.com/golang/go/issues/42166)