-
Notifications
You must be signed in to change notification settings - Fork 3
/
expect-ct.go
97 lines (79 loc) · 2.37 KB
/
expect-ct.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package helmet
import (
"fmt"
"net/http"
"strings"
)
// HeaderExpectCT is the Expect-CT HTTP security header.
const HeaderExpectCT = "Expect-CT"
// DirectiveEnforce is the Expect-CT Enforce directive.
const DirectiveEnforce ExpectCTDirective = "enforce"
// ExpectCTDirectiveMaxAge is the Expect-CT MaxAge directive.
func ExpectCTDirectiveMaxAge(maxAge int) ExpectCTDirective {
if maxAge <= 0 {
return ""
}
return ExpectCTDirective(fmt.Sprintf("max-age=%d", maxAge))
}
// ExpectCTDirectiveReportURI is the Expect-CT ReportURI directive.
func ExpectCTDirectiveReportURI(reportURI string) ExpectCTDirective {
if reportURI == "" {
return ""
}
return ExpectCTDirective(fmt.Sprintf(`report-uri="%s"`, reportURI))
}
type (
// ExpectCTDirective represents an Expect-CT directive.
ExpectCTDirective string
// ExpectCT represents the Expect-CT HTTP security header.
ExpectCT struct {
MaxAge int // number of seconds that the browser should cache and apply the received policy for
Enforce bool // controls whether the browser should enforce the policy or treat it as report-only mode
ReportURI string // specifies where the browser should send reports if it does not receive valid CT information
cache string
}
)
// NewExpectCT creates a new Expect-CT.
func NewExpectCT(maxAge int, enforce bool, reportURI string) *ExpectCT {
return &ExpectCT{
Enforce: enforce,
MaxAge: maxAge,
ReportURI: reportURI,
}
}
// EmptyExpectCT creates a blank slate Expect-CT.
func EmptyExpectCT() *ExpectCT {
return NewExpectCT(0, false, "")
}
func (ect *ExpectCT) String() string {
if len(ect.cache) != 0 {
return ect.cache
}
// max age is not optional
if ect.MaxAge <= 0 {
ect.cache = ""
return ect.cache
}
builder := []string{
string(ExpectCTDirectiveMaxAge(ect.MaxAge)),
}
if ect.Enforce {
builder = append(builder, string(DirectiveEnforce))
}
if ect.ReportURI != "" {
builder = append(builder, string(ExpectCTDirectiveReportURI(ect.ReportURI)))
}
ect.cache = strings.Join(builder, ", ")
return ect.cache
}
// Empty returns whether the Expect-CT is empty.
func (ect *ExpectCT) Empty() bool {
// enforce and report-uri are optional
return ect.MaxAge == 0
}
// Header adds the Expect-CT HTTP security header to the given http.ResponseWriter.
func (ect *ExpectCT) Header(w http.ResponseWriter) {
if !ect.Empty() {
w.Header().Set(HeaderExpectCT, ect.String())
}
}