Lewati ke konten
Gin Web Framework

Header Keamanan

Penting untuk menggunakan header keamanan untuk melindungi aplikasi web Anda dari kerentanan keamanan umum. Contoh ini menunjukkan cara menambahkan header keamanan ke aplikasi Gin Anda dan juga cara menghindari serangan terkait Host Header Injection (SSRF, Open Redirection).

package main


import (
  "net/http"


  "github.com/gin-gonic/gin"
)


func main() {
  r := gin.Default()


  expectedHost := "localhost:8080"


  // Pengaturan Header Keamanan
  r.Use(func(c *gin.Context) {
    if c.Request.Host != expectedHost {
      c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid host header"})
      return
    }
    c.Header("X-Frame-Options", "DENY")
    c.Header("Content-Security-Policy", "default-src 'self'; connect-src *; font-src *; script-src-elem * 'unsafe-inline'; img-src * data:; style-src * 'unsafe-inline';")
    c.Header("X-XSS-Protection", "1; mode=block")
    c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
    c.Header("Referrer-Policy", "strict-origin")
    c.Header("X-Content-Type-Options", "nosniff")
    c.Header("Permissions-Policy", "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()")
    c.Next()
  })


  r.GET("/ping", func(c *gin.Context) {
    c.JSON(200, gin.H{
      "message": "pong",
    })
  })


  r.Run() // jalankan server pada 0.0.0.0:8080
}

Anda dapat mengujinya melalui curl:

Terminal window
// Periksa Header


curl localhost:8080/ping -I


HTTP/1.1 404 Not Found
Content-Security-Policy: default-src 'self'; connect-src *; font-src *; script-src-elem * 'unsafe-inline'; img-src * data:; style-src * 'unsafe-inline';
Content-Type: text/plain
Permissions-Policy: geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()
Referrer-Policy: strict-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Date: Sat, 30 Mar 2024 08:20:44 GMT
Content-Length: 18


// Periksa Host Header Injection


curl localhost:8080/ping -I -H "Host:neti.ee"


HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Date: Sat, 30 Mar 2024 08:21:09 GMT
Content-Length: 31