package header

import ""

Package header provides functions for parsing and setting HTTP headers.



Package Files

header.go set.go


const (
    TypeInline     = "inline"
    TypeAttachment = "attachment"

Constants for DispositionArgs.

const (
    // Fetch directives
    CSPChildSrc    = "child-src"    // Web workers and nested contexts such as frames
    CSPConnectSrc  = "connect-src"  // Script interfaces: Ajax, WebSocket, Fetch API, etc
    CSPDefaultSrc  = "default-src"  // Fallback for the other directives
    CSPFontSrc     = "font-src"     // Custom fonts
    CSPFrameSrc    = "frame-src"    // <frame> and <iframe>
    CSPImgSrc      = "img-src"      // Images (HTML and CSS), favicon
    CSPManifestSrc = "manifest-src" // Web app manifest
    CSPMediaSrc    = "media-src"    // <audio> and <video>
    CSPObjectSrc   = "object-src"   // <object>, <embed>, and <applet>
    CSPScriptSrc   = "script-src"   // JavaScript
    CSPStyleSrc    = "style-src"    // CSS

    // Document directives govern the properties of a document
    CSPBaseURI     = "base-uri"     // Restrict what can be used in <base>
    CSPPluginTypes = "plugin-types" // Whitelist MIME types for <object>, <embed>, <applet>
    CSPSandbox     = "sandbox"      // Enable sandbox for the page

    // Navigation directives govern whereto a user can navigate
    CSPFormAction     = "form-action"     // Restrict targets for form submissions
    CSPFrameAncestors = "frame-ancestors" // Valid parents for embedding with frames, <object>, etc.

    // Reporting directives control the reporting process of CSP violations; see
    // also the Content-Security-Policy-Report-Only header
    CSPReportURI = "report-uri"

    // Other directives
    CSPBlockAllMixedContent = "block-all-mixed-content" // Don't load any HTTP content when using https

CSP Directives.

const (
    CSPSourceSelf         = "'self'"          // Exact origin of the document
    CSPSourceNone         = "'none'"          // Nothing matches
    CSPSourceUnsafeInline = "'unsafe-inline'" // Inline <script>/<style>, onevent="", etc.
    CSPSourceUnsafeEval   = "'unsafe-eval'"   // eval()
    CSPSourceStar         = "*"               // Everything

    CSPSourceHTTP        = "http:"
    CSPSourceHTTPS       = "https:"
    CSPSourceData        = "data:"
    CSPSourceMediastream = "mediastream:"
    CSPSourceBlob        = "blob:"
    CSPSourceFilesystem  = "filesystem:"

Content-Security-Policy values

func Copy

func Copy(header http.Header) http.Header

Copy returns a shallow copy of the header.

func ParseList

func ParseList(header http.Header, key string) []string

ParseList parses a comma separated list of values. Commas are ignored in quoted strings. Quoted values are not unescaped or unquoted. Whitespace is trimmed.

func ParseTime

func ParseTime(header http.Header, key string) time.Time

ParseTime parses the header as time. The zero value is returned if the header is not present or there is an error parsing the header.

func ParseValueAndParams

func ParseValueAndParams(header http.Header, key string) (value string, params map[string]string)

ParseValueAndParams parses a comma separated list of values with optional semicolon separated name-value pairs. Content-Type and Content-Disposition headers are in this format.

func SetCSP

func SetCSP(header http.Header, args CSPArgs)

SetCSP sets a Content-Security-Policy header.

Most directives require a value. The exceptions are CSPSandbox and CSPBlockAllMixedContent.

Only special values (CSPSource* constants) need to be quoted. Don't add quotes around hosts.

Valid sources:

Hosts     , *,
Schema              data:, blob:, etc.
nonce-<val>         inline scripts using a cryptographic nonce
<hash_algo>-<val>   hash of specific script.

Also see: and



static := ""
headers := make(http.Header)
header.SetCSP(headers, header.CSPArgs{
    header.CSPDefaultSrc: {header.CSPSourceNone},
    header.CSPScriptSrc:  {static},
    header.CSPStyleSrc:   {static, header.CSPSourceUnsafeInline},
    header.CSPFormAction: {header.CSPSourceSelf},
    header.CSPReportURI:  {"/csp"},

func SetContentDisposition

func SetContentDisposition(header http.Header, args DispositionArgs) error

SetContentDisposition sets the Content-Disposition header. Any previous value will be overwritten.



headers := make(http.Header)
header.SetContentDisposition(headers, header.DispositionArgs{
    Type:     "image/png",
    Filename: "foo.png",

type AcceptSpec

type AcceptSpec struct {
    Value string
    Q     float64

AcceptSpec describes an Accept* header.

func ParseAccept

func ParseAccept(header http.Header, key string) (specs []AcceptSpec)

ParseAccept parses Accept* headers.

type CSPArgs

type CSPArgs map[string][]string

CSPArgs are arguments for SetCSP().

type DispositionArgs

type DispositionArgs struct {
    Type     string // disposition-type
    Filename string // filename-parm


DispositionArgs are arguments for SetContentDisposition().

v0.0.0-20221021071853-2fea7a3c1367 (latest)
Oct 21, 2022
7 packages (graph)
Last checked
2 months ago

Tools for package owners.