photoprism/internal/server/security.go

package server

import (
	"github.com/gin-gonic/gin"

	"github.com/photoprism/photoprism/internal/api"
	"github.com/photoprism/photoprism/internal/config"
	"github.com/photoprism/photoprism/pkg/header"
)

// Security is a middleware that adds security-related headers to the server's response.
var Security = func(conf *config.Config) gin.HandlerFunc {
	return func(c *gin.Context) {
		// Abort if the request should not be served through a CDN.
		if header.AbortCdnRequest(c.Request) {
			api.AbortNotFound(c)
			return
		}

		// Set Content Security Policy.
		// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
		c.Header(header.ContentSecurityPolicy, header.DefaultContentSecurityPolicy)

		// Set Frame Options.
		// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
		c.Header(header.FrameOptions, header.DefaultFrameOptions)
	}
}
Backend: Add HTTP security middleware 2021-10-17 16:48:53 +02:00			`package server`

			`import (`
			`"github.com/gin-gonic/gin"`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00
API: Refactor "404 Not Found" response handler #3931 Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-16 20:56:43 +01:00			`"github.com/photoprism/photoprism/internal/api"`
Security: Add "header" package for setting common response headers #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-09 17:16:49 +02:00			`"github.com/photoprism/photoprism/internal/config"`
Auth: Ensure backwards compatibility for existing API clients #808 #3943 These changes ensure that the new (SHA256) session ID is returned in the "session_id" field, so that developers have time to update their client implementations to use the new "access_token" field. Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-07 12:25:56 +01:00			`"github.com/photoprism/photoprism/pkg/header"`
Backend: Add HTTP security middleware 2021-10-17 16:48:53 +02:00			`)`

Config: Allow CORS for fonts and CSS when using a CDN #3931 see https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-16 20:04:36 +01:00			`// Security is a middleware that adds security-related headers to the server's response.`
Security: Add "header" package for setting common response headers #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-09 17:16:49 +02:00			`var Security = func(conf *config.Config) gin.HandlerFunc {`
Backend: Add HTTP security middleware 2021-10-17 16:48:53 +02:00			`return func(c *gin.Context) {`
Config: Allow CORS for fonts and CSS when using a CDN #3931 see https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-16 20:04:36 +01:00			`// Abort if the request should not be served through a CDN.`
			`if header.AbortCdnRequest(c.Request) {`
API: Refactor "404 Not Found" response handler #3931 Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-16 20:56:43 +01:00			`api.AbortNotFound(c)`
API: Only allow CDNs to cache GET, HEAD, and OPTIONS requests #3931 Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-16 16:17:16 +01:00			`return`
			`}`

Config: Add PHOTOPRISM_HTTP_CORS option for CDN users #3931 #3940 In addition, the Access-Control-Allow-Origin header is set to the same URL if an Origin header is found in the request (experimental). Signed-off-by: Michael Mayer <michael@photoprism.app> 2024-01-15 13:06:27 +01:00			`// Set Content Security Policy.`
			`// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy`
			`c.Header(header.ContentSecurityPolicy, header.DefaultContentSecurityPolicy)`

			`// Set Frame Options.`
			`// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options`
			`c.Header(header.FrameOptions, header.DefaultFrameOptions)`
Backend: Add HTTP security middleware 2021-10-17 16:48:53 +02:00			`}`
			`}`