feat: add secure middleware (#832)

c07b4a57 · boojack · GitHub · dca35bde · c07b4a57 · c07b4a57
Unverified Commit c07b4a57 authored Dec 23, 2022 by boojack Committed by GitHub Dec 23, 2022
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 6 deletions

resource.go server/resource.go +1 -6

server.go server/server.go +4 -0

No files found.
--- a/server/resource.go
+++ b/server/resource.go
@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
-	"strings"
 	"time"
 	"github.com/usememos/memos/api"
@@ -263,11 +262,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
 		}
-		if strings.HasPrefix(resource.Type, echo.MIMETextHTML) {
-			c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain)
-		} else {
 		c.Response().Writer.Header().Set("Content-Type", resource.Type)
-		}
 		c.Response().Writer.WriteHeader(http.StatusOK)
 		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
 		if _, err := c.Response().Writer.Write(resource.Blob); err != nil {

--- a/server/server.go
+++ b/server/server.go
@@ -44,6 +44,10 @@ func NewServer(profile *profile.Profile) *Server {
 		Timeout:      30 * time.Second,
 	}))
+	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
+		ContentSecurityPolicy: "default-src 'self'",
+	}))
 	embedFrontend(e)
 	// In dev mode, set the const secret key to make signin session persistence.