mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-06 13:14:11 +00:00
aa90303d92
- Update go.mod module path from mhsanaei/3x-ui/v3 to saeederamy/3x-ui/v3 - Update all 73 Go files' import paths accordingly - Fix README.fa_IR.md install command to point to fork's main branch The fork was referencing the original repo's module path in go.mod and all Go source imports, making it dependent on MHSanaei's namespace at build time. https://claude.ai/code/session_01M6d5atbWjuLTj6UwRHoK5m
54 lines
1.4 KiB
Go
54 lines
1.4 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/saeederamy/3x-ui/v3/web/session"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// SecurityHeadersMiddleware adds browser hardening headers to panel responses.
|
|
func SecurityHeadersMiddleware(directHTTPS bool) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
c.Header("X-Content-Type-Options", "nosniff")
|
|
c.Header("X-Frame-Options", "DENY")
|
|
c.Header("Referrer-Policy", "no-referrer")
|
|
c.Header("Content-Security-Policy", "frame-ancestors 'none'; base-uri 'self'; form-action 'self'")
|
|
if directHTTPS {
|
|
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// CSRFMiddleware rejects unsafe requests that do not include the session CSRF token.
|
|
// Bearer-token-authenticated callers (api_authed flag set by APIController.checkAPIAuth)
|
|
// short-circuit the CSRF check — they are not browser sessions, so the
|
|
// cross-site request forgery threat model doesn't apply to them.
|
|
func CSRFMiddleware() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
if c.GetBool("api_authed") {
|
|
c.Next()
|
|
return
|
|
}
|
|
if isSafeMethod(c.Request.Method) {
|
|
c.Next()
|
|
return
|
|
}
|
|
if !session.ValidateCSRFToken(c) {
|
|
c.AbortWithStatus(http.StatusForbidden)
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func isSafeMethod(method string) bool {
|
|
switch method {
|
|
case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|