Need

Secure configuration of HTTP headers - X-Permitted-Cross-Domain-Policies

Context

• Usage of Go 1.16 for building high-performance and concurrent applications
• Usage of Gin framework for building web applications in Go

Description

Non compliant code

        package main

import "github.com/gin-gonic/gin"

func main() {
	r := gin.Default()

	r.GET("/", func(c *gin.Context) {
		c.String(200, "Hello, World!")
	})

	r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}
        
        

The above code is a simple Go backend application using the Gin framework. It defines a single GET route on the root ("/") which responds with "Hello, World!" when accessed.

However, this code is vulnerable due to the lack of the X-Permitted-Cross-Domain-Policies HTTP header. This header is used to control how content loaded from the website's domain can be loaded by Adobe Flash applications running on other domains.

In the absence of this header, or if it's set to an insecure value, it can potentially allow malicious Flash content from other domains to interact with content from the website's domain, leading to cross-site request forgery (CSRF) or data leakage.

In this code, there is no middleware or route handler that sets this header, making it vulnerable to the aforementioned risks.

Steps

• Add the X-Permitted-Cross-Domain-Policies header to the HTTP response.
• Set the value of the X-Permitted-Cross-Domain-Policies header to 'none' to disable cross-domain policies.
• Implement the necessary logic to set the X-Permitted-Cross-Domain-Policies header securely.
• Test the application to ensure that the header is being set correctly and that cross-domain policies are disabled.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.Use(func(c *gin.Context) {
		c.Header("X-Permitted-Cross-Domain-Policies", "none")
		c.Next()
	})

	r.GET("/", func(c *gin.Context) {
		c.String(200, "Hello, World!")
	})

	r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}
        
        

The above code fixes the vulnerability by adding a middleware function that sets the X-Permitted-Cross-Domain-Policies header to none for every HTTP response. This effectively disables cross-domain policies, mitigating the risk of cross-domain attacks.

Here's a breakdown of the changes:

1. A middleware function is added using the Use method of the gin router. This function will be executed for every HTTP request.

2. Inside the middleware function, the Header method of the gin context is used to set the X-Permitted-Cross-Domain-Policies header to none.

3. The Next method of the gin context is called to pass control to the next middleware function in the chain. This is necessary because middleware functions in gin are executed in the order they are added, and calling Next ensures that the rest of the middleware functions (and eventually the route handler) get executed.

4. The route handler for the / path remains unchanged. The X-Permitted-Cross-Domain-Policies header will be set to none for the HTTP response, regardless of the route that is being accessed.

After applying these changes, you should test your application to ensure that the X-Permitted-Cross-Domain-Policies header is being set correctly. You can do this by sending a HTTP request to your application and checking the headers of the HTTP response.

References

• 137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies