增强安全性

2025-11-14 12:20:27 +08:00 · 2020-11-10 12:47:24 +08:00
parent 8e664f33db
commit 26066daad7
118 changed files with 164 additions and 133 deletions
--- a/internal/web/helpers/user_should_auth.go
+++ b/internal/web/helpers/user_should_auth.go
@@ -1,6 +1,7 @@
 package helpers

 import (
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/iwind/TeaGo/actions"
 	"net/http"
 	"strconv"
@@ -12,6 +13,14 @@ type UserShouldAuth struct {

 func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramName string) (goNext bool) {
 	this.action = actionPtr.Object()
+
+	// 安全相关
+	action := this.action
+	if !teaconst.EnabledFrame {
+		action.AddHeader("X-Frame-Options", "SAMEORIGIN")
+	}
+	action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'")
+
 	return true
 }

@@ -20,18 +29,28 @@ func (this *UserShouldAuth) StoreAdmin(adminId int, remember bool) {
 	// 修改sid的时间
 	if remember {
 		cookie := &http.Cookie{
-			Name:   "sid",
-			Value:  this.action.Session().Sid,
-			Path:   "/",
-			MaxAge: 14 * 86400,
+			Name:     "sid",
+			Value:    this.action.Session().Sid,
+			Path:     "/",
+			MaxAge:   14 * 86400,
+			HttpOnly: true,
+		}
+		if this.action.Request.TLS != nil {
+			cookie.SameSite = http.SameSiteStrictMode
+			cookie.Secure = true
 		}
 		this.action.AddCookie(cookie)
 	} else {
 		cookie := &http.Cookie{
-			Name:   "sid",
-			Value:  this.action.Session().Sid,
-			Path:   "/",
-			MaxAge: 0,
+			Name:     "sid",
+			Value:    this.action.Session().Sid,
+			Path:     "/",
+			MaxAge:   0,
+			HttpOnly: true,
+		}
+		if this.action.Request.TLS != nil {
+			cookie.SameSite = http.SameSiteStrictMode
+			cookie.Secure = true
 		}
 		this.action.AddCookie(cookie)
 	}