add HTTP headers: X-Frame-Options, Referrer-Policy

Author: or-else

server/hdl_websock.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/gorilla/websocket"
 	"github.com/tinode/chat/server/logs"
+	"github.com/tinode/chat/server/store/types"
 )
 
 const (
@@ -165,7 +166,7 @@ var upgrader = websocket.Upgrader{
 }
 
 func serveWebSocket(wrt http.ResponseWriter, req *http.Request) {
-	now := time.Now().UTC().Round(time.Millisecond)
+	now := types.TimeNow()
 
 	if isValid, _ := checkAPIKey(getAPIKey(req)); !isValid {
 		wrt.WriteHeader(http.StatusForbidden)

server/http.go

@@ -169,17 +169,6 @@ func signalHandler() <-chan bool {
 	return stop
 }
 
-// Wrapper for http.Handler which optionally adds a Strict-Transport-Security to the response.
-func hstsHandler(handler http.Handler) http.Handler {
-	if globals.tlsStrictMaxAge != "" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Strict-Transport-Security", "max-age="+globals.tlsStrictMaxAge)
-			handler.ServeHTTP(w, r)
-		})
-	}
-	return handler
-}
-
 // The following code is used to intercept HTTP errors so they can be wrapped into json.
 
 // Wrapper around http.ResponseWriter which detects status set to 400+ and replaces
@@ -270,6 +259,32 @@ func tlsRedirect(toPort string) http.HandlerFunc {
 	}
 }
 
+// Wrapper for adding optional HTTP headers:
+//   - Strict-Transport-Security
+//   - X-Frame-Options
+//   - Referrer-Policy
+func optionalHttpHeaders(handler http.Handler) http.Handler {
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Referrer-Policy", "origin")
+		handler.ServeHTTP(w, r)
+	})
+
+	if globals.tlsStrictMaxAge != "" {
+		handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Strict-Transport-Security", "max-age="+globals.tlsStrictMaxAge)
+			handler.ServeHTTP(w, r)
+		})
+	}
+
+	if globals.xFrameOptions != "-" {
+		handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("X-Frame-Options", globals.xFrameOptions)
+			handler.ServeHTTP(w, r)
+		})
+	}
+	return handler
+}
+
 // Wrapper for http.Handler which optionally adds a Cache-Control header to the response
 func cacheControlHandler(maxAge int, handler http.Handler) http.Handler {
 	if maxAge > 0 {

server/main.go

@@ -188,6 +188,9 @@ var globals struct {
 	// Prioritize X-Forwarded-For header as the source of IP address of the client.
 	useXForwardedFor bool
 
+	// Add X-Frame-Options header to HTTP response.
+	xFrameOptions string
+
 	// Country code to assign to sessions by default.
 	defaultCountryCode string
 
@@ -286,6 +289,9 @@ type configType struct {
 	// Take IP address of the client from HTTP header 'X-Forwarded-For'.
 	// Useful when tinode is behind a proxy. If missing, fallback to default RemoteAddr.
 	UseXForwardedFor bool `json:"use_x_forwarded_for"`
+	// Add X-Frame-Options to HTTP response headers. It should be one of "DENY", "SAMEORIGIN",
+	// "-" (disabled). The default is SAMEORIGIN.
+	XFrameOptions string `json:"x_frame_options"`
 	// 2-letter country code (ISO 3166-1 alpha-2) to assign to sessions by default
 	// when the country isn't specified by the client explicitly and
 	// it's impossible to infer it.
@@ -556,6 +562,16 @@ func main() {
 		globals.defaultCountryCode = defaultCountryCode
 	}
 
+	// Configuration of X-Frame-Options header.
+	globals.xFrameOptions = config.XFrameOptions
+	if globals.xFrameOptions == "" {
+		globals.xFrameOptions = "SAMEORIGIN"
+	}
+	if globals.xFrameOptions != "SAMEORIGIN" && globals.xFrameOptions != "DENY" && globals.xFrameOptions != "-" {
+		logs.Warn.Println("Ignored invalid x_frame_options", config.XFrameOptions)
+		globals.xFrameOptions = "SAMEORIGIN"
+	}
+
 	// Websocket compression.
 	globals.wsCompression = !config.WSCompressionDisabled
 
@@ -666,15 +682,15 @@ func main() {
 			}
 		}
 		mux.Handle(staticMountPoint,
-			// Add optional Cache-Control header
+			// Add optional Cache-Control header.
 			cacheControlHandler(config.CacheControl,
-				// Optionally add Strict-Transport_security to the response
-				hstsHandler(
-					// Add gzip compression
+				// Optionally add Strict-Transport-Security and X-Frame-Options to the response.
+				optionalHttpHeaders(
+					// Add gzip compression.
 					gh.CompressHandler(
 						// And add custom formatter of errors.
 						httpErrorHandler(
-							// Remove mount point prefix
+							// Remove mount point prefix.
 							http.StripPrefix(staticMountPoint,
 								http.FileServer(http.Dir(*staticPath))))))))
 		logs.Info.Printf("Serving static content from '%s' at '%s'", *staticPath, staticMountPoint)

server/tinode.conf

@@ -63,6 +63,10 @@
 	// Useful when Tinode is behind a proxy. If missing, fallback to default RemoteAddr.
 	"use_x_forwarded_for": true,
 
+	// Add X-Frame-Options to HTTP response headers. It should be one of "DENY", "SAMEORIGIN",
+	// "-" (disabled). If the option is missing then it's treated as SAMEORIGIN.
+	"x_frame_options": "SAMEORIGIN",
+
 	// 2-letter country code to assign to sessions by default when the country isn't specified
 	// by the client explicitly and it's impossible to infer it.
 	// If missing, the server will default to "US".