dchest
commented
5 years ago Server is the standard Go http.Handler, so you can combine it with other http.Handler or http.HandlerFunc to set headers before calling it. For example,
captchaServer := captcha.Server(captcha.StdWidth, captcha.StdHeight)
http.HandleFunc("/captcha/", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-My-Header", "itworks")
captchaServer.ServeHTTP(w, r)
})All of the headers you listed seem useless, though:
X-Content-Type-Options: nosniff: what the attack is? Server serves image and audio captchas, there's no way to make it serve user-provided data, so content type sniffing won't lead to attacks.X-XSS-Protection: again, no HTML/JS is served, so there's no XSS to protect against.X-Frame-Optionsseems the most useful one, however, again useless, since images and audio don't need frames to be able to be embedded into other origins.Access-Control-Allow-Originis not a header that restricts behavior, it relaxes default browser restrictions: for images, it can be used to enable cross-origin manipulation of captchas with canvas, which is not what you want.
Anything I missed?
Since captcha URLs are unguessable by design, other origins would not be able to embed them into their pages. However you should protect your HTML page that display captchas with X-Content-Type-Options and X-Frame-Options so that other origins won't be able to embed it into iframe so that people solve your captchas on unrelated to your website. (They still can, of course, run it server-side, so I'm not sure if that's much of the help).
iu4u57k3
We can setup a captcha server by using:
http.Handle("/captcha/", captcha.Server(captcha.StdWidth, captcha.StdHeight)However, this does not allow setting custom headers for enhancing security such as:
This leaves the application vulnerable to various attacks