From c07b4a57caa89905e54b800f4d8fb720bbf5bf82 Mon Sep 17 00:00:00 2001 From: boojack Date: Fri, 23 Dec 2022 18:58:55 +0800 Subject: [PATCH] feat: add secure middleware (#832) --- server/resource.go | 7 +------ server/server.go | 4 ++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/server/resource.go b/server/resource.go index 589561a2d81c0..714e9a47f0252 100644 --- a/server/resource.go +++ b/server/resource.go @@ -7,7 +7,6 @@ import ( "net/http" "net/url" "strconv" - "strings" "time" "github.com/usememos/memos/api" @@ -263,11 +262,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err) } - if strings.HasPrefix(resource.Type, echo.MIMETextHTML) { - c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain) - } else { - c.Response().Writer.Header().Set("Content-Type", resource.Type) - } + c.Response().Writer.Header().Set("Content-Type", resource.Type) c.Response().Writer.WriteHeader(http.StatusOK) c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable") if _, err := c.Response().Writer.Write(resource.Blob); err != nil { diff --git a/server/server.go b/server/server.go index 243f26adf05ed..5f43e7f8ff92d 100644 --- a/server/server.go +++ b/server/server.go @@ -44,6 +44,10 @@ func NewServer(profile *profile.Profile) *Server { Timeout: 30 * time.Second, })) + e.Use(middleware.SecureWithConfig(middleware.SecureConfig{ + ContentSecurityPolicy: "default-src 'self'", + })) + embedFrontend(e) // In dev mode, set the const secret key to make signin session persistence.