feat: add -dev flag for local HTTP testing
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
In development mode (-dev): - HSTS header is omitted (prevents browser caching HTTPS-only requirement) - CSRF cookie Secure flag is cleared (allows cookies over plain HTTP) - A warning is logged on startup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
1e1888625d
commit
c98fe735ad
3 changed files with 10 additions and 1 deletions
1
csrf.go
1
csrf.go
|
|
@ -25,6 +25,7 @@ func setCSRFToken(w http.ResponseWriter) (string, error) {
|
||||||
Path: "/",
|
Path: "/",
|
||||||
HttpOnly: false, // must be readable via form hidden field comparison
|
HttpOnly: false, // must be readable via form hidden field comparison
|
||||||
SameSite: http.SameSiteStrictMode,
|
SameSite: http.SameSiteStrictMode,
|
||||||
|
Secure: !devMode,
|
||||||
})
|
})
|
||||||
return token, nil
|
return token, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
6
main.go
6
main.go
|
|
@ -18,6 +18,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var myPublicURL = "https://ldap.nemunai.re"
|
var myPublicURL = "https://ldap.nemunai.re"
|
||||||
|
var devMode bool
|
||||||
|
|
||||||
// dockerRegistrySecret is required for X-Special-Auth anonymous access.
|
// dockerRegistrySecret is required for X-Special-Auth anonymous access.
|
||||||
// If empty, the feature is disabled.
|
// If empty, the feature is disabled.
|
||||||
|
|
@ -80,9 +81,14 @@ func main() {
|
||||||
var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
|
var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
|
||||||
var configfile = flag.String("config", "", "path to the configuration file")
|
var configfile = flag.String("config", "", "path to the configuration file")
|
||||||
var publicURL = flag.String("public-url", myPublicURL, "Public base URL used in password reset emails")
|
var publicURL = flag.String("public-url", myPublicURL, "Public base URL used in password reset emails")
|
||||||
|
var dev = flag.Bool("dev", false, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
myPublicURL = *publicURL
|
myPublicURL = *publicURL
|
||||||
|
devMode = *dev
|
||||||
|
if devMode {
|
||||||
|
log.Println("WARNING: running in development mode — security features relaxed, do not use in production")
|
||||||
|
}
|
||||||
|
|
||||||
// Sanitize options
|
// Sanitize options
|
||||||
log.Println("Checking paths...")
|
log.Println("Checking paths...")
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,9 @@ func securityHeaders(next http.Handler) http.Handler {
|
||||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||||
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||||
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline' https://stackpath.bootstrapcdn.com; style-src https://stackpath.bootstrapcdn.com; img-src 'self'; font-src https://stackpath.bootstrapcdn.com")
|
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline' https://stackpath.bootstrapcdn.com; style-src https://stackpath.bootstrapcdn.com; img-src 'self'; font-src https://stackpath.bootstrapcdn.com")
|
||||||
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
if !devMode {
|
||||||
|
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
||||||
|
}
|
||||||
next.ServeHTTP(w, r)
|
next.ServeHTTP(w, r)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue