{"id":28423492,"url":"https://github.com/alexferl/echo-secure","last_synced_at":"2025-06-25T11:31:53.305Z","repository":{"id":285491753,"uuid":"958313609","full_name":"alexferl/echo-secure","owner":"alexferl","description":"Security headers middleware for the Echo framework","archived":false,"fork":false,"pushed_at":"2025-04-07T00:46:57.000Z","size":19,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-05T09:08:36.490Z","etag":null,"topics":["echo","echo-labstack","echo-middleware","echo-secure","labstack-echo"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alexferl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-04-01T01:55:01.000Z","updated_at":"2025-04-07T00:46:18.000Z","dependencies_parsed_at":"2025-04-01T03:27:02.052Z","dependency_job_id":"469f1b89-99ef-4c01-9446-7e1fa704b36c","html_url":"https://github.com/alexferl/echo-secure","commit_stats":null,"previous_names":["alexferl/echo-secure"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/alexferl/echo-secure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexferl%2Fecho-secure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexferl%2Fecho-secure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexferl%2Fecho-secure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexferl%2Fecho-secure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alexferl","download_url":"https://codeload.github.com/alexferl/echo-secure/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexferl%2Fecho-secure/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261863136,"owners_count":23221492,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["echo","echo-labstack","echo-middleware","echo-secure","labstack-echo"],"created_at":"2025-06-05T09:08:29.822Z","updated_at":"2025-06-25T11:31:53.297Z","avatar_url":"https://github.com/alexferl.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# echo-secure [![Go Report Card](https://goreportcard.com/badge/github.com/alexferl/echo-secure)](https://goreportcard.com/report/github.com/alexferl/echo-secure) [![codecov](https://codecov.io/gh/alexferl/echo-secure/branch/master/graph/badge.svg)](https://codecov.io/gh/alexferl/echo-secure)\n\nA security headers middleware for the [Echo](https://github.com/labstack/echo) framework.\n\n## Installing\n```shell\ngo get github.com/alexferl/echo-secure\n```\n\n## Using\n### Code example\n```go\npackage main\n\nimport (\n    \"net/http\"\n\n    \"github.com/alexferl/echo-secure\"\n    \"github.com/labstack/echo/v4\"\n)\n\nfunc main() {\n    e := echo.New()\n\n    e.Use(secure.New())\n\n    e.GET(\"/\", func(c echo.Context) error {\n        return c.String(http.StatusOK, \"hello\")\n    })\n\n    e.Logger.Fatal(e.Start(\"localhost:1323\"))\n}\n```\n\n```shell\nhttp http://127.0.0.1:1323\nHTTP/1.1 200 OK\nContent-Length: 5\nContent-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';\nContent-Type: text/plain; charset=UTF-8\nCross-Origin-Embedder-Policy: require-corp\nCross-Origin-Opener-Policy: same-origin\nCross-Origin-Resource-Policy: same-origin\nDate: Tue, 01 Apr 2025 02:29:34 GMT\nPermissions-Policy: accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()\nReferrer-Policy: no-referrer\nX-Content-Type-Options: nosniff\nX-Frame-Options: DENY\n\nhello\n```\n\n### Configuration\n```go\n// StrictTransportSecurity defines the parameters for HTTP Strict Transport Security (HSTS).\n// HSTS instructs browsers to only use HTTPS for the domain of the issuing host.\ntype StrictTransportSecurity struct {\n\t// MaxAge sets the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.\n\t// A value of 0 disables HSTS.\n\t// Optional. Default: 0.\n\tMaxAge int\n\n\t// ExcludeSubdomains specifies whether the HSTS policy applies to all subdomains.\n\t// When set to true, the includeSubDomains directive is omitted.\n\t// Optional. Default: false.\n\tExcludeSubdomains bool\n\n\t// PreloadEnabled adds the preload directive to the header, indicating consent to have the domain preloaded in browsers.\n\t// Note: You still need to submit your domain to hstspreload.org to be included in the preload list.\n\t// Optional. Default: false\n\tPreloadEnabled bool\n}\n\n// Config defines the config for Secure middleware.\ntype Config struct {\n\t// Skipper defines a function to skip middleware.\n\tSkipper middleware.Skipper\n\n\t// ContentSecurityPolicy sets the `Content-Security-Policy` header\n\t// which helps prevent XSS attacks by specifying which dynamic resources are allowed to load.\n\t// Reference: https://content-security-policy.com/\n\t// Optional. Default: \"default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';\".\n\tContentSecurityPolicy string\n\n\t// ContentSecurityPolicyReportOnly sets the policy in report-only mode, which sends violation reports\n\t// but doesn't enforce the policy. Useful for testing before deployment.\n\t// Optional. Default: false.\n\tContentSecurityPolicyReportOnly bool\n\n\t// CrossOriginEmbedderPolicy sets the `Cross-Origin-Embedder-Policy` header\n\t// which controls whether the document can embed resources from other origins.\n\t// Optional. Default: \"require-corp\".\n\tCrossOriginEmbedderPolicy string\n\n\t// CrossOriginOpenerPolicy sets the `Cross-Origin-Opener-Policy` header\n\t// which controls how the document interacts with cross-origin windows.\n\t// Optional. Default: \"same-origin\".\n\tCrossOriginOpenerPolicy string\n\n\t// CrossOriginResourcePolicy sets the `Cross-Origin-Resource-Policy` header\n\t// which restricts how a resource can be embedded in other websites.\n\t// Optional. Default: \"same-origin\".\n\tCrossOriginResourcePolicy string\n\n\t// PermissionsPolicy set the `Permissions-Policy` header\n\t// which controls which browser features can be used by the document and any embedded iframes.\n\t// Policy generator: https://www.permissionspolicy.com\n\t// Optional. Default: `permissionPolicyFeatures`.\n\tPermissionsPolicy string\n\n\t// ReferrerPolicy sets the `Referrer-Policy` header\n\t// which controls how much referrer information is included with requests.\n\t// Optional. Default: \"no-referrer\".\n\tReferrerPolicy string\n\n\t// Server sets the `Server` header\n\t// Optional. Default: \"\".\n\tServer string\n\n\t// StrictTransportSecurity configures the HTTP Strict Transport Security header\n\t// which instructs browsers to only use HTTPS for the domain.\n\tStrictTransportSecurity StrictTransportSecurity\n\n\t// XContentTypeOptions sets the `X-Content-Type-Options` header\n\t// which prevents browsers from MIME-sniffing a response away from the declared content-type.\n\t// Optional. Default: \"nosniff\".\n\tXContentTypeOptions string\n\n\t// XFrameOptions sets the `X-Frame-Options` header\n\t// which indicates whether a browser should be allowed to render a page in a \u003cframe\u003e, \u003ciframe\u003e, \u003cembed\u003e or \u003cobject\u003e.\n\t// Optional. Default: \"DENY\".\n\t// Possible values:\n\t// - \"SAMEORIGIN\" - Allow framing on same origin\n\t// - \"DENY\" - Deny framing completely\n\tXFrameOptions string\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexferl%2Fecho-secure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falexferl%2Fecho-secure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexferl%2Fecho-secure/lists"}