Add ReferrerPolicy to Secure middleware (#1363)

htdvisser · vishr · commit 87da9a948b06 · 2019-08-01T15:27:09.000-07:00
diff --git a/echo.go b/echo.go
@@ -222,6 +222,7 @@ const (
 	HeaderContentSecurityPolicy           = "Content-Security-Policy"
 	HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
 	HeaderXCSRFToken                      = "X-CSRF-Token"
+	HeaderReferrerPolicy                  = "Referrer-Policy"
 )
 
 const (
diff --git a/middleware/secure.go b/middleware/secure.go
@@ -66,6 +66,11 @@ type (
 		// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
 		// Optional.  Default value false.
 		HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
+
+		// ReferrerPolicy sets the `Referrer-Policy` header providing security against
+		// leaking potentially sensitive request paths to third parties.
+		// Optional. Default value "".
+		ReferrerPolicy string `yaml:"referrer_policy"`
 	}
 )
 
@@ -131,6 +136,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
 					res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
 				}
 			}
+			if config.ReferrerPolicy != "" {
+				res.Header().Set(echo.HeaderReferrerPolicy, config.ReferrerPolicy)
+			}
 			return next(c)
 		}
 	}
diff --git a/middleware/secure_test.go b/middleware/secure_test.go
@@ -25,6 +25,7 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))
 
 	// Custom
 	req.Header.Set(echo.HeaderXForwardedProto, "https")
@@ -36,13 +37,15 @@ func TestSecure(t *testing.T) {
 		XFrameOptions:         "",
 		HSTSMaxAge:            3600,
 		ContentSecurityPolicy: "default-src 'self'",
+		ReferrerPolicy:        "origin",
 	})(h)(c)
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
+	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
 
 	// Custom with CSPReportOnly flag
 	req.Header.Set(echo.HeaderXForwardedProto, "https")
@@ -55,13 +58,15 @@ func TestSecure(t *testing.T) {
 		HSTSMaxAge:            3600,
 		ContentSecurityPolicy: "default-src 'self'",
 		CSPReportOnly:         true,
+		ReferrerPolicy:        "origin",
 	})(h)(c)
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
 
 	// Custom, with preload option enabled
 	req.Header.Set(echo.HeaderXForwardedProto, "https")

Original file line number	Diff line number	Diff line change
`@@ -222,6 +222,7 @@ const (`
`222`	`222`	`HeaderContentSecurityPolicy = "Content-Security-Policy"`
`223`	`223`	`HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"`
`224`	`224`	`HeaderXCSRFToken = "X-CSRF-Token"`
	`225`	`+ HeaderReferrerPolicy = "Referrer-Policy"`
`225`	`226`	`)`
`226`	`227`
`227`	`228`	`const (`
Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,11 @@ type (`
`66`	`66`	`// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/`
`67`	`67`	`// Optional. Default value false.`
`68`	`68`	HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
	`69`	`+`
	`70`	+ // ReferrerPolicy sets the `Referrer-Policy` header providing security against
	`71`	`+ // leaking potentially sensitive request paths to third parties.`
	`72`	`+ // Optional. Default value "".`
	`73`	+ ReferrerPolicy string `yaml:"referrer_policy"`
`69`	`74`	`}`
`70`	`75`	`)`
`71`	`76`
`@@ -131,6 +136,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {`
`131`	`136`	`res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)`
`132`	`137`	`}`
`133`	`138`	`}`
	`139`	`+ if config.ReferrerPolicy != "" {`
	`140`	`+ res.Header().Set(echo.HeaderReferrerPolicy, config.ReferrerPolicy)`
	`141`	`+ }`
`134`	`142`	`return next(c)`
`135`	`143`	`}`
`136`	`144`	`}`