Enhance security options #1890

Kukulkano · 2021-06-08T14:14:47Z

Kukulkano
Jun 8, 2021

Hi. I'm migrating an Apache webservice to run using go and echo framework only. I now had a look at the security settings and found the Apache doing the following:

The following apache stuff should be converted for echo framework at set on a generic level:

SSLEngine on
SSLProtocol +ALL -TLSv1 -TLSv1.1 -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite AESGCM:CAMELLIA256:AES256:CAMELLIA128:SEED:-RSA:-aNULL:-ADH:-AECDH

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Feature-Policy "autoplay 'none'; camera 'none'"
Header set X-Content-Type-Options "nosniff"
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header unset X-Powered-By

How do I set these values in echo? Or is this not needed?

Answered by aldas

Jun 8, 2021

If you need custom configuration for TLS when you would need to create something like that

func main() {
	e := echo.New()
	// create for Echo routes
	
	s := http.Server{
		Addr:    ":8443",
		Handler: e, // set Echo as handler
		TLSConfig: &tls.Config{
			//Certificates: nil, // <-- s.ListenAndServeTLS will populate this field for you
			//CipherSuites:                nil,
			//PreferServerCipherSuites:    false,
			//MinVersion:                  0,
			//MaxVersion:                  0,
			//CurvePreferences:            nil,
		},
	}
	if err := s.ListenAndServeTLS("server.crt", "server.key"); err != http.ErrServerClosed {
		log.Fatal(err)
	}
}

If you need to add headers to responses. do:

func

View full answer

aldas · 2021-06-08T15:00:59Z

aldas
Jun 8, 2021
Maintainer

If you need custom configuration for TLS when you would need to create something like that

func main() {
	e := echo.New()
	// create for Echo routes
	
	s := http.Server{
		Addr:    ":8443",
		Handler: e, // set Echo as handler
		TLSConfig: &tls.Config{
			//Certificates: nil, // <-- s.ListenAndServeTLS will populate this field for you
			//CipherSuites:                nil,
			//PreferServerCipherSuites:    false,
			//MinVersion:                  0,
			//MaxVersion:                  0,
			//CurvePreferences:            nil,
		},
	}
	if err := s.ListenAndServeTLS("server.crt", "server.key"); err != http.ErrServerClosed {
		log.Fatal(err)
	}
}

If you need to add headers to responses. do:

func main() {
	e := echo.New()

	// this middleware will add these headers to every handler
	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
		return func(c echo.Context) error {
			c.Response().Header().Add("Pragma", "no-cache")
			// ..
			// ..
			return next(c)
		}
	})

	e.GET("/", func(c echo.Context) error {
		// or in handler function
		c.Response().Header().Add("Pragma", "no-cache")
		return c.JSON(http.StatusOK, "{}")
	})
	
	// ... start server
}

1 reply

Kukulkano Jun 10, 2021
Author

Thanks, aldas!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enhance security options #1890

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Enhance security options #1890

Kukulkano Jun 8, 2021

Replies: 1 comment · 1 reply

aldas Jun 8, 2021 Maintainer

Kukulkano Jun 10, 2021 Author

Kukulkano
Jun 8, 2021

Replies: 1 comment 1 reply

aldas
Jun 8, 2021
Maintainer

Kukulkano Jun 10, 2021
Author