fix: consolidate security related headers - drop middleware.Secure

deployments/examples/ocis_wopi/config/ocis/csp.yaml

@@ -7,6 +7,8 @@ directives:
     - '''none'''
   font-src:
     - '''self'''
+  frame-ancestors:
+    - '''none'''
   frame-src:
     - '''self'''
     - 'https://embed.diagrams.net/'

ocis-pkg/middleware/header.go

@@ -38,22 +38,3 @@ func Cors(opts ...cors.Option) func(http.Handler) http.Handler {
 		AllowCredentials: options.AllowCredentials,
 	})
 }
-
-// Secure writes required access headers to all requests.
-func Secure(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Indicates whether the browser is allowed to render this page in a <frame>, <iframe>, <embed> or <object>.
-		w.Header().Set("X-Frame-Options", "DENY")
-		// Does basically the same as X-Frame-Options.
-		w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'")
-		// This header inidicates that MIME types advertised in the Content-Type headers should not be changed and be followed.
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-
-		if r.TLS != nil {
-			// Tell browsers that the website should only be accessed  using HTTPS.
-			w.Header().Set("Strict-Transport-Security", "max-age=31536000")
-		}
-
-		next.ServeHTTP(w, r)
-	})
-}

ocis-pkg/service/debug/service.go

@@ -68,7 +68,6 @@ func NewService(opts ...Option) *http.Server {
 				cors.AllowedHeaders(dopts.CorsAllowedHeaders),
 				cors.AllowCredentials(dopts.CorsAllowCredentials),
 			),
-			middleware.Secure,
 			middleware.Version(
 				dopts.Name,
 				dopts.Version,

services/graph/pkg/server/http/server.go

@@ -79,7 +79,6 @@ func Server(opts ...Option) (http.Service, error) {
 			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 		),
-		middleware.Secure,
 	}
 	// how do we secure the api?
 	var requireAdminMiddleware func(stdhttp.Handler) stdhttp.Handler

services/idp/pkg/server/http/server.go

@@ -61,7 +61,6 @@ func Server(opts ...Option) (http.Service, error) {
 			chimiddleware.RequestID,
 			middleware.TraceContext,
 			middleware.NoCache,
-			middleware.Secure,
 			middleware.Version(
 				options.Config.Service.Name,
 				version.GetString(),

services/invitations/pkg/server/http/server.go

@@ -55,7 +55,6 @@ func Server(opts ...Option) (ohttp.Service, error) {
 			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 		))
-	mux.Use(middleware.Secure)
 
 	mux.Use(middleware.Version(
 		options.Name,

services/ocs/pkg/server/http/server.go

@@ -69,7 +69,6 @@ func Server(opts ...Option) (http.Service, error) {
 				cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 				cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 			),
-			middleware.Secure,
 			middleware.Version(
 				options.Config.Service.Name,
 				version.GetString(),

services/proxy/pkg/config/csp.yaml

@@ -7,6 +7,8 @@ directives:
     - '''none'''
   font-src:
     - '''self'''
+  frame-ancestors:
+    - '''none'''
   frame-src:
     - '''self'''
     - 'https://embed.diagrams.net/'

services/proxy/pkg/middleware/security.go

@@ -42,6 +42,7 @@ func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler {
 		ContentSecurityPolicy:   cspBuilder.MustBuild(),
 		ContentTypeNosniff:      true,
 		CustomFrameOptionsValue: "SAMEORIGIN",
+		FrameDeny:               true,
 		ReferrerPolicy:          "strict-origin-when-cross-origin",
 		STSSeconds:              315360000,
 		STSPreload:              true,

services/settings/pkg/server/http/server.go

@@ -52,7 +52,6 @@ func Server(opts ...Option) (ohttp.Service, error) {
 		cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 		cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 	))
-	mux.Use(middleware.Secure)
 	mux.Use(middleware.ExtractAccountUUID(
 		account.Logger(options.Logger),
 		account.JWTSecret(options.Config.TokenManager.JWTSecret)),

services/sse/pkg/server/http/server.go

@@ -64,7 +64,6 @@ func Server(opts ...Option) (http.Service, error) {
 			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 		),
-		middleware.Secure,
 	}
 
 	mux := chi.NewMux()

services/thumbnails/pkg/server/http/server.go

@@ -39,7 +39,6 @@ func Server(opts ...Option) (http.Service, error) {
 		svc.Middleware(
 			middleware.RealIP,
 			middleware.RequestID,
-			// ocismiddleware.Secure,
 			ocismiddleware.Version(
 				options.Config.Service.Name,
 				version.GetString(),

services/userlog/pkg/server/http/server.go

@@ -63,7 +63,6 @@ func Server(opts ...Option) (http.Service, error) {
 			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 		),
-		middleware.Secure,
 	}
 
 	mux := chi.NewMux()

services/web/pkg/middleware/silentrefresh.go

@@ -7,7 +7,6 @@ import (
 // SilentRefresh allows the oidc client lib to silently refresh the token in an iframe
 func SilentRefresh(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-Frame-Options", "SAMEORIGIN")
 		w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
 		next.ServeHTTP(w, r)
 	})

services/web/pkg/server/http/server.go

@@ -84,7 +84,6 @@ func Server(opts ...Option) (http.Service, error) {
 			chimiddleware.RealIP,
 			chimiddleware.RequestID,
 			middleware.NoCache,
-			middleware.Secure,
 			webmid.SilentRefresh,
 			middleware.Version(
 				"web",

services/webdav/pkg/server/http/server.go

@@ -48,7 +48,6 @@ func Server(opts ...Option) (http.Service, error) {
 				cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 				cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 			),
-			middleware.Secure,
 			middleware.Version(
 				options.Config.Service.Name,
 				version.GetString(),

services/webfinger/pkg/server/http/server.go

@@ -57,7 +57,6 @@ func Server(opts ...Option) (ohttp.Service, error) {
 			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
 			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 		))
-	mux.Use(middleware.Secure)
 
 	mux.Use(middleware.Version(
 		options.Name,