Go to file
John Niang 09d4b40da8
Apply specific headers for portal endpoints (#2972)
#### What type of PR is this?

/kind improvement
/area core

#### What this PR does / why we need it:

This PR separates security configuration of RESTful APIs and portal pages to configure specific headers for portal pages, such as `Referrer-Policy` and `X-Frame-Options`.

#### Which issue(s) this PR fixes:

Fixes https://github.com/halo-dev/halo/issues/2900

#### Special notes for your reviewer:

You can see the response headers of index page:

```diff
HTTP/1.1 200 OK
Content-Type: text/html
Content-Language: en-US
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: SAMEORIGIN
+ X-XSS-Protection: 0
+ Referrer-Policy: strict-origin-when-cross-origin
content-encoding: gzip
content-length: 4285
```

and request headers with `Referer`:
```diff
GET / HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
+ Referer: http://localhost:8090/archives/12341234
Connection: keep-alive
Cookie: _ga_Z907HJBP8W=GS1.1.1670164888.1.1.1670165603.0.0.0; _ga=GA1.1.807839437.1670164889; SESSION=539e060e-c11e-4b6d-a749-882905b30a88; XSRF-TOKEN=4b692b55-638c-4497-8a4b-be00986eda90
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
```

#### Does this PR introduce a user-facing change?

```release-note
解决访问分析工具无法显示 referer 的问题
```
2022-12-16 03:32:35 +00:00
.github Enable CI on release branches (#2876) 2022-12-08 10:46:26 +08:00
config/checkstyle chore: add checkstyle rule (#2091) 2022-05-17 06:46:11 +00:00
docs Implement full-text search of posts with Lucene default (#2675) 2022-11-11 16:12:13 +00:00
gradle/wrapper Create basic project structure for halo 2.0 (#1699) 2022-03-04 15:04:11 +08:00
hack chore: add cherry_pick_pull.sh for cherry-picking pull request (#1554) 2021-12-03 10:21:24 +08:00
src Apply specific headers for portal endpoints (#2972) 2022-12-16 03:32:35 +00:00
.editorconfig refactor: next line config (#1844) 2022-04-14 07:49:17 +00:00
.gitattributes Refactor .gitignore 2019-04-03 11:37:59 +08:00
.gitignore Initialize default theme when Halo starts up for the first time (#2704) 2022-11-15 10:50:18 +00:00
CODE_OF_CONDUCT.md docs: add CODE_OF_CONDUCT.md (#2150) 2022-06-12 08:10:12 +00:00
CONTRIBUTING.md chore: add cherry_pick_pull.sh for cherry-picking pull request (#1554) 2021-12-03 10:21:24 +08:00
Dockerfile Support command-line arguments running with Docker (#2942) 2022-12-14 15:12:22 +00:00
LICENSE Create LICENSE 2018-03-21 21:39:46 +08:00
OWNERS [main] chore: update reviewers for OWNERS file (#2955) 2022-12-15 04:00:12 +00:00
README.md docs: update github workflow badge (#2974) 2022-12-16 03:12:12 +00:00
SECURITY.md Update SECURITY.md 2021-09-29 20:43:15 +08:00
build.gradle chore: upgrade to PF4J 3.8.0 (#2772) 2022-11-25 11:05:07 +00:00
gradle.properties Bump halo version to 2.1.0-SNAPSHOT for next release (#2871) 2022-12-07 06:56:55 +00:00
gradlew Create basic project structure for halo 2.0 (#1699) 2022-03-04 15:04:11 +08:00
gradlew.bat Create basic project structure for halo 2.0 (#1699) 2022-03-04 15:04:11 +08:00
settings.gradle Bump Spring Boot to 3.0.0-RC1 (#2620) 2022-10-25 02:56:11 +00:00

README.md

Halo logo

Halo [ˈheɪloʊ],好用又强大的开源建站工具。

GitHub release Docker pulls GitHub last commit GitHub Workflow Status
官网 文档 社区 Gitee Telegram 频道


快速开始

docker run \
  -it -d \
  --name halo \
  -p 8090:8090 \
  -v ~/.halo2:/root/.halo2 \
  -e HALO_EXTERNAL_URL=http://localhost:8090/ \
  -e HALO_SECURITY_INITIALIZER_SUPERADMINUSERNAME=admin \
  -e HALO_SECURITY_INITIALIZER_SUPERADMINPASSWORD=P@88w0rd \
  halohub/halo:2.0

以上仅作为体验使用,详细部署文档请查阅:https://docs.halo.run/getting-started/install/docker-compose

在线体验

生态

可访问 awesome-halo 查看已经适用于 Halo 2.0 的主题和插件,以及适用于 Halo 1.x 的相关仓库。

许可证

license

Halo 使用 GPL-v3.0 协议开源,请遵守开源协议。

贡献

参考 CONTRIBUTING

状态

Repobeats analytics