Skip to content

Commit

Permalink
feat: add secure middleware (#832)
Browse files Browse the repository at this point in the history
  • Loading branch information
@boojack
boojack authored Dec 23, 2022
1 parent dca35bd commit c07b4a5
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 6 deletions.
7 changes: 1 addition & 6 deletions server/resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"net/http"
"net/url"
"strconv"
"strings"
"time"

"github.com/usememos/memos/api"
Expand Down Expand Up @@ -263,11 +262,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
}

if strings.HasPrefix(resource.Type, echo.MIMETextHTML) {
c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain)
} else {
c.Response().Writer.Header().Set("Content-Type", resource.Type)
}
c.Response().Writer.Header().Set("Content-Type", resource.Type)
c.Response().Writer.WriteHeader(http.StatusOK)
c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
if _, err := c.Response().Writer.Write(resource.Blob); err != nil {
Expand Down
4 changes: 4 additions & 0 deletions server/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ func NewServer(profile *profile.Profile) *Server {
Timeout: 30 * time.Second,
}))

e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
ContentSecurityPolicy: "default-src 'self'",
}))

embedFrontend(e)

// In dev mode, set the const secret key to make signin session persistence.
Expand Down

0 comments on commit c07b4a5

Please # to comment.