usememos/memos
1
1
Fork 0
mirror of https://github.com/usememos/memos.git synced 2024-12-20 09:41:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: add secure middleware (#832)

Browse Source
This commit is contained in:
boojack 2022-12-23 18:58:55 +08:00 committed by GitHub
parent dca35bde87
commit c07b4a57ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/resource.go
View File

@ -7,7 +7,6 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/usememos/memos/api" "github.com/usememos/memos/api"
@ -263,11 +262,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
} }
if strings.HasPrefix(resource.Type, echo.MIMETextHTML) {
c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain)
} else {
c.Response().Writer.Header().Set("Content-Type", resource.Type) c.Response().Writer.Header().Set("Content-Type", resource.Type)
}
c.Response().Writer.WriteHeader(http.StatusOK) c.Response().Writer.WriteHeader(http.StatusOK)
c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable") c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
if _, err := c.Response().Writer.Write(resource.Blob); err != nil { if _, err := c.Response().Writer.Write(resource.Blob); err != nil {

4
server/server.go
View File

@ -44,6 +44,10 @@ func NewServer(profile *profile.Profile) *Server {
Timeout: 30 * time.Second, Timeout: 30 * time.Second,
})) }))
e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
ContentSecurityPolicy: "default-src 'self'",
}))
embedFrontend(e) embedFrontend(e)
// In dev mode, set the const secret key to make signin session persistence. // In dev mode, set the const secret key to make signin session persistence.