sneak/webhooker
1
0
Fork 0
Code Issues 4 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: add headers middleware, session regeneration, and body size limits
Some checks failed
check / check (push) Has been cancelled
Details

Browse Source 
- Add SecurityHeaders middleware applied globally: HSTS, X-Content-Type-Options,
  X-Frame-Options, CSP, Referrer-Policy, and Permissions-Policy headers on every
  response.
- Add session regeneration (Regenerate method) after successful login to prevent
  session fixation attacks. Old session is destroyed and a new ID is issued.
- Add MaxBodySize middleware using http.MaxBytesReader to limit POST/PUT/PATCH
  request bodies to 1 MB on all form endpoints (/pages, /sources, /source/*).

Closes #34, closes #38, closes #39
This commit is contained in:
clawbot
2026-03-05 02:53:45 -08:00
parent a51e863017
commit 0489d9916f
4 changed files with 100 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
internal/session/session.go
View File

@@ -135,3 +135,50 @@ func (s *Session) Destroy(sess *sessions.Session) {
sess.Options.MaxAge = -1
s.ClearUser(sess)
}
// Regenerate creates a new session with the same values but a fresh ID.
// The old session is destroyed (MaxAge = -1) and saved, then a new session
// is created. This prevents session fixation attacks by ensuring the
// session ID changes after privilege escalation (e.g. login).
func (s *Session) Regenerate(r *http.Request, w http.ResponseWriter, oldSess *sessions.Session) (*sessions.Session, error) {
// Copy the values from the old session
oldValues := make(map[interface{}]interface{})
for k, v := range oldSess.Values {
oldValues[k] = v
}
// Destroy the old session
oldSess.Options.MaxAge = -1
s.ClearUser(oldSess)
if err := oldSess.Save(r, w); err != nil {
return nil, fmt.Errorf("failed to destroy old session: %w", err)
}
// Create a new session (gorilla/sessions generates a new ID)
newSess, err := s.store.New(r, SessionName)
if err != nil {
// store.New may return an error alongside a new empty session
// if the old cookie is now invalid. That is expected after we
// destroyed it above. Only fail on a nil session.
if newSess == nil {
return nil, fmt.Errorf("failed to create new session: %w", err)
}
}
// Restore the copied values into the new session
for k, v := range oldValues {
newSess.Values[k] = v
}
// Apply the standard session options (the destroyed old session had
// MaxAge = -1, which store.New might inherit from the cookie).
newSess.Options = &sessions.Options{
Path: "/",
MaxAge: 86400 * 7,
HttpOnly: true,
Secure: !s.config.IsDev(),
SameSite: http.SameSiteLaxMode,
}
return newSess, nil
}