Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
Need
Secure configuration of HTTP headers - X-Permitted-Cross-Domain-Policies
Context
- Usage of Go 1.16 for building high-performance and concurrent applications
- Usage of Gin framework for building web applications in Go
Description
Non compliant code
package main
import "github.com/gin-gonic/gin"
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
c.String(200, "Hello, World!")
})
r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}
The above code is a simple Go backend application using the Gin framework. It defines a single GET route on the root ("/") which responds with "Hello, World!" when accessed.
However, this code is vulnerable due to the lack of the X-Permitted-Cross-Domain-Policies
HTTP header. This header is used to control how content loaded from the website's domain can be loaded by Adobe Flash applications running on other domains.
In the absence of this header, or if it's set to an insecure value, it can potentially allow malicious Flash content from other domains to interact with content from the website's domain, leading to cross-site request forgery (CSRF) or data leakage.
In this code, there is no middleware or route handler that sets this header, making it vulnerable to the aforementioned risks.
Steps
- Add the X-Permitted-Cross-Domain-Policies header to the HTTP response.
- Set the value of the X-Permitted-Cross-Domain-Policies header to 'none' to disable cross-domain policies.
- Implement the necessary logic to set the X-Permitted-Cross-Domain-Policies header securely.
- Test the application to ensure that the header is being set correctly and that cross-domain policies are disabled.
Compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.Use(func(c *gin.Context) {
c.Header("X-Permitted-Cross-Domain-Policies", "none")
c.Next()
})
r.GET("/", func(c *gin.Context) {
c.String(200, "Hello, World!")
})
r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}
The above code fixes the vulnerability by adding a middleware function that sets the X-Permitted-Cross-Domain-Policies
header to none
for every HTTP response. This effectively disables cross-domain policies, mitigating the risk of cross-domain attacks.
Here's a breakdown of the changes:
-
A middleware function is added using the
Use
method of the gin router. This function will be executed for every HTTP request. -
Inside the middleware function, the
Header
method of the gin context is used to set theX-Permitted-Cross-Domain-Policies
header tonone
. -
The
Next
method of the gin context is called to pass control to the next middleware function in the chain. This is necessary because middleware functions in gin are executed in the order they are added, and callingNext
ensures that the rest of the middleware functions (and eventually the route handler) get executed. -
The route handler for the
/
path remains unchanged. TheX-Permitted-Cross-Domain-Policies
header will be set tonone
for the HTTP response, regardless of the route that is being accessed.
After applying these changes, you should test your application to ensure that the X-Permitted-Cross-Domain-Policies
header is being set correctly. You can do this by sending a HTTP request to your application and checking the headers of the HTTP response.