search

Melkeydev / go-blueprint

Go-blueprint allows users to spin up a quick Go project using a popular framework
MIT License
2.07k stars 141 forks source link

[Feature Request] [Fiber Framework] Helmet Middleware #220

Closed H0llyW00dzZ closed 1 month ago

H0llyW00dzZ commented 1 month ago

Tell us about your feature request

As currently there is no helmet middleware for secure web apps, if anyone agrees, I can submit a PR for this.

Example:

// registerRouteConfigMiddleware registers global middleware.
func registerRouteConfigMiddleware() {
    // Helmet
    helmet.New(helmet.Config{
        // XSSProtection is deprecated, consider omitting or setting to "0"
        // XSSProtection: "0",
        ContentTypeNosniff: "nosniff",
        XFrameOptions:      "SAMEORIGIN",
        // Consider a more lenient ReferrerPolicy if needed
        ReferrerPolicy:            "strict-origin-when-cross-origin",
        CrossOriginEmbedderPolicy: "require-corp",
        CrossOriginOpenerPolicy:   "same-origin",
        CrossOriginResourcePolicy: "same-origin",
        // OriginAgentCluster is experimental, consider omitting if not needed
        // OriginAgentCluster: "?1",
        XDNSPrefetchControl:   "off",
        XDownloadOptions:      "noopen",
        XPermittedCrossDomain: "none",
    })
    // Recovery From Panic
    recover.New(recover.Config{
        EnableStackTrace: true,
        StackTraceHandler: func(c *fiber.Ctx, e interface{}) {
            Logger.LogErrorf("Panic occurred: %v", e)
            Logger.LogErrorf("Stack trace:\n%s", debug.Stack())

            // Send a custom error response if needed
            err := c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
                "error": "Internal Server Error",
            })
            if err != nil {
                Logger.LogErrorf("Failed to send internal server error response: %v", err)
                return
            }
        },
    })
}

Then, just call registerRouteConfigMiddleware() somewhere.

[!NOTE] Also, note that the example is, I've been using it along with the recovery middleware for handling panics.

Disclaimer

H0llyW00dzZ commented 1 month ago

Example Output:

Panic

$ go run cmd/api/main.go
2024/04/07 13:52:07 [H0llyW00dzZ Firewall] [INFO] Connected to database: *********
2024/04/07 13:52:10 [H0llyW00dzZ Project] [INFO] Starting server on :8080

 ┌───────────────────────────────────────────────────┐ 
 │                H0llyW00dzZ Project                │ 
 │                   Fiber v2.52.4                   │ 
 │               http://127.0.0.1:8080               │ 
 │       (bound on host 0.0.0.0 and port 8080)       │ 
 │                                                   │ 
 │ Handlers ............ 541 Processes ........... 1 │ 
 │ Prefork ....... Disabled  PID ............. 24324 │ 
 └───────────────────────────────────────────────────┘ 

2024/04/07 13:52:18 [H0llyW00dzZ Project] [ERROR] Panic occurred: I'm an error
2024/04/07 13:52:18 [H0llyW00dzZ Project] [ERROR] Stack trace:
goroutine 46 [running]:
runtime/debug.Stack()
        C:/Program Files/Go/src/runtime/debug/stack.go:24 +0x5e

Helmet

image

briancbarrow commented 1 month ago

This along with the other middleware suggested, are beyond the scope of the project.