- adding the security filter option

- adding the command line option for the secuirity handler

- adding the security filter option
ce5579fd · Rohith · 636c6d28 · ce5579fd · ce5579fd · ce5579fd
Commit ce5579fd authored Feb 20, 2016 by Rohith
--- a/config.go
+++ b/config.go
@@ -185,6 +185,9 @@ func readOptions(cx *cli.Context, config *Config) (err error) {
 	if cx.IsSet("max-session") {
 		config.MaxSession = cx.Duration("max-session")
 	}
+	if cx.IsSet("enable-security-filter") {
+		config.EnableSecurityFilter = true
+	}
 	if cx.IsSet("proxy-protocol") {
 		config.ProxyProtocol = cx.Bool("proxy-protocol")
 	}
@@ -321,7 +324,7 @@ func getOptions() []cli.Flag {
 		},
 		cli.StringSliceFlag{
 			Name:  "hostname",
-			Usage: "a list of hostname which the service will respond to, defaults to all",
+			Usage: "a list of hostnames the service will respond to, defaults to all",
 		},
 		cli.StringFlag{
 			Name:  "tls-cert",
@@ -388,6 +391,10 @@ func getOptions() []cli.Flag {
 			Name:  "cors-credentials",
 			Usage: "the credentials access control header (Access-Control-Allow-Credentials)",
 		},
+		cli.BoolFlag{
+			Name:  "enable-security-filter",
+			Usage: "enables the security filter handler",
+		},
 		cli.BoolFlag{
 			Name:  "skip-token-verification",
 			Usage: "testing purposes ONLY, the option allows you to bypass the token verification, expiration and roles are still enforced",

--- a/config_sample.yml
+++ b/config_sample.yml
@@ -31,6 +31,8 @@ upstream-keepalives: true
 # additional scopes to add to add to the default (openid+email+profile)
 scopes:
  - vpn-user
+# enables a more extra secuirty features
+enable-security-filter: true
 # a map of claims that MUST exist in the token presented and the value is it MUST match
 # So for example, you could match the audience or the issuer or some custom attribute
 claims:

--- a/doc.go
+++ b/doc.go
@@ -97,6 +97,8 @@ type Config struct {
 	Secret string `json:"secret" yaml:"secret"`
 	// RedirectionURL the redirection url
 	RedirectionURL string `json:"redirection_url" yaml:"redirection_url"`
+	// EnableSecurityFilter enabled the security handler
+	EnableSecurityFilter bool `json:"enable-security-filter" yaml:"enable-security-filter"`
 	// RefreshSessions enabled refresh access
 	RefreshSessions bool `json:"refresh_sessions" yaml:"refresh_sessions"`
 	// EncryptionKey is the encryption key used to encrypt the refresh token

--- a/handlers.go
+++ b/handlers.go
@@ -72,6 +72,8 @@ func (r *KeycloakProxy) securityHandler() gin.HandlerFunc {
 		BrowserXssFilter:     true,
 		ContentTypeNosniff:   true,
 		FrameDeny:            true,
+		STSIncludeSubdomains: true,
+		STSSeconds:           31536000,
 	})

 	return func(cx *gin.Context) {

--- a/server.go
+++ b/server.go
@@ -24,7 +24,6 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
-	"os"
 	"strings"
 	"sync"
 	"time"
@@ -123,9 +122,9 @@ func (r KeycloakProxy) initializeRouter() {
 	if r.config.LogRequests {
 		r.router.Use(r.loggingHandler())
 	}
-	// step: if gin release production
-	if os.Getenv("GIN_MODE") == "release" {
-		log.Infof("enabling the security handler for release mode")
+	// step: enabling the security filter?
+	if r.config.EnableSecurityFilter {
+		log.Infof("enabling the security handler")
 		r.router.Use(r.securityHandler())
 	}