/paranoidhttp

Paranoidhttp provides a pre-configured http.Client that protects you from harm.

Primary LanguageGoMIT LicenseMIT

Paranoidhttp

Build Status Coverage Status MIT License GoDoc

Paranoidhttp provides a pre-configured http.Client that protects you from harm.

Description

Paranoidhttp is a factory of http.Client that is paranoid againt attackers. This is useful when you craete a HTTP request using inputs from possibly malicious users.

The created http.Client protects you from connecting to internal IP ranges even though redirects or DNS tricks are used.

Synopsis

// use the default client for ease
res, err := paranoidhttp.DefaultClient.Get("http://www.hatena.ne.jp")

// or customize the client for yourself
client, transport, dialer := paranoidhttp.NewClient()
client.Timeout = 10 * time.Second
transport.DisableCompression = true
dialer.KeepAlive = 60 * time.Second

// Add an permitted ipnets with functional option
ipNet, _ := net.ParseCIDR("127.0.0.1/32")
client, _, _ := paranoidhttp.New(
    paranoidhttp.PermittedIPNets(ipNet))

Known Issues

  • Supports only IPv4 (blocks IPv6).

Acknowledgement

I want to thank LWPx::ParanoidAgent.

License

MIT

Author

hakobe