SecureConfig defines the config for Secure middleware.
| 11 | |
| 12 | // SecureConfig defines the config for Secure middleware. |
| 13 | type SecureConfig struct { |
| 14 | // Skipper defines a function to skip middleware. |
| 15 | Skipper Skipper |
| 16 | |
| 17 | // XSSProtection provides protection against cross-site scripting attack (XSS) |
| 18 | // by setting the `X-XSS-Protection` header. |
| 19 | // Optional. Default value "1; mode=block". |
| 20 | XSSProtection string |
| 21 | |
| 22 | // ContentTypeNosniff provides protection against overriding Content-Type |
| 23 | // header by setting the `X-Content-Type-Options` header. |
| 24 | // Optional. Default value "nosniff". |
| 25 | ContentTypeNosniff string |
| 26 | |
| 27 | // XFrameOptions can be used to indicate whether or not a browser should |
| 28 | // be allowed to render a page in a <frame>, <iframe> or <object> . |
| 29 | // Sites can use this to avoid clickjacking attacks, by ensuring that their |
| 30 | // content is not embedded into other sites.provides protection against |
| 31 | // clickjacking. |
| 32 | // Optional. Default value "SAMEORIGIN". |
| 33 | // Possible values: |
| 34 | // - "SAMEORIGIN" - The page can only be displayed in a frame on the same origin as the page itself. |
| 35 | // - "DENY" - The page cannot be displayed in a frame, regardless of the site attempting to do so. |
| 36 | // - "ALLOW-FROM uri" - The page can only be displayed in a frame on the specified origin. |
| 37 | XFrameOptions string |
| 38 | |
| 39 | // HSTSMaxAge sets the `Strict-Transport-Security` header to indicate how |
| 40 | // long (in seconds) browsers should remember that this site is only to |
| 41 | // be accessed using HTTPS. This reduces your exposure to some SSL-stripping |
| 42 | // man-in-the-middle (MITM) attacks. |
| 43 | // Optional. Default value 0. |
| 44 | HSTSMaxAge int |
| 45 | |
| 46 | // HSTSExcludeSubdomains won't include subdomains tag in the `Strict Transport Security` |
| 47 | // header, excluding all subdomains from security policy. It has no effect |
| 48 | // unless HSTSMaxAge is set to a non-zero value. |
| 49 | // Optional. Default value false. |
| 50 | HSTSExcludeSubdomains bool |
| 51 | |
| 52 | // ContentSecurityPolicy sets the `Content-Security-Policy` header providing |
| 53 | // security against cross-site scripting (XSS), clickjacking and other code |
| 54 | // injection attacks resulting from execution of malicious content in the |
| 55 | // trusted web page context. |
| 56 | // Optional. Default value "". |
| 57 | ContentSecurityPolicy string |
| 58 | |
| 59 | // CSPReportOnly would use the `Content-Security-Policy-Report-Only` header instead |
| 60 | // of the `Content-Security-Policy` header. This allows iterative updates of the |
| 61 | // content security policy by only reporting the violations that would |
| 62 | // have occurred instead of blocking the resource. |
| 63 | // Optional. Default value false. |
| 64 | CSPReportOnly bool |
| 65 | |
| 66 | // HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security` |
| 67 | // header, which enables the domain to be included in the HSTS preload list |
| 68 | // maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/ |
| 69 | // Optional. Default value false. |
| 70 | HSTSPreloadEnabled bool |
nothing calls this directly
no outgoing calls
no test coverage detected