💾 Archived View for capsule.adrianhesketh.com › 2016 › 07 › 29 › implementing-hsts-as-go-middleware captured on 2023-05-24 at 18:25:41. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

capsule.adrianhesketh.com

home

Implementing HSTS as Go Middleware

hsts

This week, I launched a new application, having bought a domain, setup a load balancer with an SSL certificate etc.

Unfortunately my new Go app didn't have a feature to redirect the user from HTTP to HTTPS automatically, meaning that it was possible for the user to send data without it being encrypted.

I needed my Go app to detect when the user was accessing the system over HTTP and get them to use HTTPS instead so I created some middleware to do it.

This is straightforward if the Go app is handling SSL itself, but in my case, I had the extra complexity of using an AWS Elastic Load Balancer (ELB) to manage the SSL for me - meaning that the Go application just sees incoming traffic.

The AWS ELB adds a HTTP header called X-Forwarded-Scheme to request which I can use to determine whether the incoming request was HTTP or HTTPS. So I used the [0] middleware to collect the value and pass it to the `[1] struct (`r.URL.Scheme`) making my middleware work for both scenarios.

[0]

[1]

Since I always want people to use HTTPS to access the system, I also added a HSTS header which sets user's browsers to automatically use HTTPS, even when presented with a HTTP URL in the future.

You can use it in your projects by the usual method of `go get github.com/a-h/hsts` - work with me on it at [2]

[2]

More

Next

Health Hack Night

Previous

JSON Schema to Go Struct Generator Roundup

Home

home