Add HTTP Secure Headers on HTTPS server response (#545)

0xERR0R · Jun 2, 2022 · a120aaf · a120aaf
1 parent 2944deb
commit a120aaf
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 6 deletions.
diff --git a/server/server.go b/server/server.go
@@ -47,6 +47,7 @@ type Server struct {
 	queryResolver  resolver.Resolver
 	cfg            *config.Config
 	httpMux        *chi.Mux
+	httpsMux       *chi.Mux
 	cert           tls.Certificate
 }
 
@@ -103,15 +104,17 @@ func NewServer(cfg *config.Config) (server *Server, err error) {
 		return nil, fmt.Errorf("server creation failed: %w", err)
 	}
 
-	router := createRouter(cfg)
+	httpRouter := createRouter(cfg)
+	httpsRouter := createHTTPSRouter(cfg)
 
 	httpListeners, httpsListeners, err := createHTTPListeners(cfg)
 	if err != nil {
 		return nil, err
 	}
 
 	if len(httpListeners) != 0 || len(httpsListeners) != 0 {
-		metrics.Start(router, cfg.Prometheus)
+		metrics.Start(httpRouter, cfg.Prometheus)
+		metrics.Start(httpsRouter, cfg.Prometheus)
 	}
 
 	metrics.RegisterEventListeners()
@@ -137,16 +140,19 @@ func NewServer(cfg *config.Config) (server *Server, err error) {
 		cfg:            cfg,
 		httpListeners:  httpListeners,
 		httpsListeners: httpsListeners,
-		httpMux:        router,
+		httpMux:        httpRouter,
+		httpsMux:       httpsRouter,
 		cert:           cert,
 	}
 
 	server.printConfiguration()
 
 	server.registerDNSHandlers()
-	server.registerAPIEndpoints(router)
+	server.registerAPIEndpoints(httpRouter)
+	server.registerAPIEndpoints(httpsRouter)
 
-	registerResolverAPIEndpoints(router, queryResolver)
+	registerResolverAPIEndpoints(httpRouter, queryResolver)
+	registerResolverAPIEndpoints(httpsRouter, queryResolver)
 
 	return server, err
 }
@@ -470,7 +476,7 @@ func (s *Server) Start(errCh chan<- error) {
 			logger().Infof("https server is up and running on addr/port %s", address)
 
 			server := http.Server{
-				Handler: s.httpMux,
+				Handler: s.httpsMux,
 				TLSConfig: &tls.Config{
 					MinVersion:   tls.VersionTLS12,
 					CipherSuites: tlsCipherSuites(),

diff --git a/server/server_endpoints.go b/server/server_endpoints.go
@@ -30,6 +30,16 @@ const (
 	corsMaxAge      = 5 * time.Minute
 )
 
+func securityHeader(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("strict-transport-security", "max-age=63072000")
+		w.Header().Set("x-frame-options", "DENY")
+		w.Header().Set("x-content-type-options", "nosniff")
+		w.Header().Set("x-xss-protection", "1; mode=block")
+		next.ServeHTTP(w, r)
+	})
+}
+
 func (s *Server) registerAPIEndpoints(router *chi.Mux) {
 	router.Post(api.PathQueryPath, s.apiQuery)
 
@@ -215,6 +225,20 @@ func (s *Server) apiQuery(rw http.ResponseWriter, req *http.Request) {
 	logAndResponseWithError(err, "unable to write response: ", rw)
 }
 
+func createHTTPSRouter(cfg *config.Config) *chi.Mux {
+	router := chi.NewRouter()
+
+	configureSecurityHeaderHandler(router)
+
+	configureCorsHandler(router)
+
+	configureDebugHandler(router)
+
+	configureRootHandler(cfg, router)
+
+	return router
+}
+
 func createRouter(cfg *config.Config) *chi.Mux {
 	router := chi.NewRouter()
 
@@ -229,6 +253,7 @@ func createRouter(cfg *config.Config) *chi.Mux {
 
 func configureRootHandler(cfg *config.Config, router *chi.Mux) {
 	router.Get("/", func(writer http.ResponseWriter, request *http.Request) {
+		writer.Header().Set("content-type", dnsContentType)
 		t := template.New("index")
 		_, _ = t.Parse(web.IndexTmpl)
 
@@ -285,6 +310,10 @@ func logAndResponseWithError(err error, message string, writer http.ResponseWrit
 	}
 }
 
+func configureSecurityHeaderHandler(router *chi.Mux) {
+	router.Use(securityHeader)
+}
+
 func configureDebugHandler(router *chi.Mux) {
 	router.Mount("/debug", middleware.Profiler())
 }