Closed iu4u57k3 closed 5 years ago
Server
is the standard Go http.Handler
, so you can combine it with other http.Handler
or http.HandlerFunc
to set headers before calling it. For example,
captchaServer := captcha.Server(captcha.StdWidth, captcha.StdHeight)
http.HandleFunc("/captcha/", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-My-Header", "itworks")
captchaServer.ServeHTTP(w, r)
})
All of the headers you listed seem useless, though:
X-Content-Type-Options: nosniff
: what the attack is? Server serves image and audio captchas, there's no way to make it serve user-provided data, so content type sniffing won't lead to attacks.X-XSS-Protection
: again, no HTML/JS is served, so there's no XSS to protect against.X-Frame-Options
seems the most useful one, however, again useless, since images and audio don't need frames to be able to be embedded into other origins.Access-Control-Allow-Origin
is not a header that restricts behavior, it relaxes default browser restrictions: for images, it can be used to enable cross-origin manipulation of captchas with canvas, which is not what you want.Anything I missed?
Since captcha URLs are unguessable by design, other origins would not be able to embed them into their pages. However you should protect your HTML page that display captchas with X-Content-Type-Options
and X-Frame-Options
so that other origins won't be able to embed it into iframe so that people solve your captchas on unrelated to your website. (They still can, of course, run it server-side, so I'm not sure if that's much of the help).
Thanks for your clarification!
It will be a good idea to add w.Header().Set("X-Frame-Options", "DENY")
in captcha.serve
function.
So there will be no need to add custom headers.
captcha.Serve
serves images and audio, so X-Frame-Options: deny
is useless for it as mentioned above: they can be embedded with <img src="..."
and <audio src="..."
without using iframe. However, since the image URL is unguessable, without knowing captcha id, attackers will not be able to take advantage of it.
We can setup a captcha server by using:
http.Handle("/captcha/", captcha.Server(captcha.StdWidth, captcha.StdHeight)
However, this does not allow setting custom headers for enhancing security such as:
This leaves the application vulnerable to various attacks