feat(secure): support Content-Security-Policy-Report-Only header

Kumar Harsh · Kumar Harsh · commit 1881ca4cb2bd · 2019-02-27T11:54:59.000+05:30
Closes #1283
diff --git a/echo.go b/echo.go
@@ -212,12 +212,13 @@ const (
 	HeaderAccessControlMaxAge           = "Access-Control-Max-Age"
 
 	// Security
-	HeaderStrictTransportSecurity = "Strict-Transport-Security"
-	HeaderXContentTypeOptions     = "X-Content-Type-Options"
-	HeaderXXSSProtection          = "X-XSS-Protection"
-	HeaderXFrameOptions           = "X-Frame-Options"
-	HeaderContentSecurityPolicy   = "Content-Security-Policy"
-	HeaderXCSRFToken              = "X-CSRF-Token"
+	HeaderStrictTransportSecurity         = "Strict-Transport-Security"
+	HeaderXContentTypeOptions             = "X-Content-Type-Options"
+	HeaderXXSSProtection                  = "X-XSS-Protection"
+	HeaderXFrameOptions                   = "X-Frame-Options"
+	HeaderContentSecurityPolicy           = "Content-Security-Policy"
+	HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
+	HeaderXCSRFToken                      = "X-CSRF-Token"
 )
 
 const (
diff --git a/middleware/secure.go b/middleware/secure.go
@@ -53,6 +53,13 @@ type (
 		// trusted web page context.
 		// Optional. Default value "".
 		ContentSecurityPolicy string `yaml:"content_security_policy"`
+
+		// CSPReportOnly would use the `Content-Security-Policy-Report-Only` header instead
+		// of the `Content-Security-Policy` header. This allows iterative updates of the
+		// content security policy by only reporting the violations that would
+		// have occurred instead of blocking the resource.
+		// Optional. Default value false.
+		CSPReportOnly bool `yaml:"csp_report_only"`
 	}
 )
 
@@ -108,7 +115,11 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
 				res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))
 			}
 			if config.ContentSecurityPolicy != "" {
-				res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
+				if config.CSPReportOnly {
+					res.Header().Set(echo.HeaderContentSecurityPolicyReportOnly, config.ContentSecurityPolicy)
+				} else {
+					res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
+				}
 			}
 			return next(c)
 		}
diff --git a/middleware/secure_test.go b/middleware/secure_test.go
@@ -42,4 +42,24 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
+
+	// Custom with CSPReportOnly flag
+	req.Header.Set(echo.HeaderXForwardedProto, "https")
+	rec = httptest.NewRecorder()
+	c = e.NewContext(req, rec)
+	SecureWithConfig(SecureConfig{
+		XSSProtection:         "",
+		ContentTypeNosniff:    "",
+		XFrameOptions:         "",
+		HSTSMaxAge:            3600,
+		ContentSecurityPolicy: "default-src 'self'",
+		CSPReportOnly:         true,
+	})(h)(c)
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
+	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
+	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
 }

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,13 @@ type (`
`53`	`53`	`// trusted web page context.`
`54`	`54`	`// Optional. Default value "".`
`55`	`55`	ContentSecurityPolicy string `yaml:"content_security_policy"`
	`56`	`+`
	`57`	+ // CSPReportOnly would use the `Content-Security-Policy-Report-Only` header instead
	`58`	+ // of the `Content-Security-Policy` header. This allows iterative updates of the
	`59`	`+ // content security policy by only reporting the violations that would`
	`60`	`+ // have occurred instead of blocking the resource.`
	`61`	`+ // Optional. Default value false.`
	`62`	+ CSPReportOnly bool `yaml:"csp_report_only"`
`56`	`63`	`}`
`57`	`64`	`)`
`58`	`65`
`@@ -108,7 +115,11 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {`
`108`	`115`	`res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))`
`109`	`116`	`}`
`110`	`117`	`if config.ContentSecurityPolicy != "" {`
`111`		`- res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)`
	`118`	`+ if config.CSPReportOnly {`
	`119`	`+ res.Header().Set(echo.HeaderContentSecurityPolicyReportOnly, config.ContentSecurityPolicy)`
	`120`	`+ } else {`
	`121`	`+ res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)`
	`122`	`+ }`
`112`	`123`	`}`
`113`	`124`	`return next(c)`
`114`	`125`	`}`