diff --git a/config/aah.conf b/config/aah.conf index d0593ac..0429428 100644 --- a/config/aah.conf +++ b/config/aah.conf @@ -1,9 +1,9 @@ -################################################### -# aahwebsite - aah framework application +# ----------------------------------------------------------------------------- +# website - aah Application Configuration # -# Complete configuration reference: -# https://docs.aahframework.org/app-config.html -################################################### +# Refer documentation to explore and customize the configurations. +# Doc: https://docs.aahframework.org/app-config.html +# ----------------------------------------------------------------------------- # Application name (non-whitespace) # Default value is `basename` of import path. diff --git a/config/routes.conf b/config/routes.conf index f2dbdfb..778c83b 100644 --- a/config/routes.conf +++ b/config/routes.conf @@ -1,79 +1,48 @@ -#################################################### -# aahwebsite - Application Routes Configuration +# ----------------------------------------------------------------------------- +# website - Application Routes Configuration # -# Complete configuration reference: -# https://docs.aahframework.org/routes-config.html -#################################################### +# Refer documentation to explore and configure routes. +# Doc: https://docs.aahframework.org/routing.html +# ----------------------------------------------------------------------------- -#------------------------------------------------------------------------ -# Domain and sub-domain configuration goes into section `domains { ... }` -#------------------------------------------------------------------------ domains { - # Domain name/ip address with port no, basically unique name + #------------------------------------------------------------------------------ + # Domain/subdomain Key Name + # Choose a `unique keyname` to define domain section and its configuration. + # Tip: domain name address, port no values could be used to create a + # meaningful domain key, etc. + # + # Doc: https://docs.aahframework.org/routes-config.html#domain-configuration + #------------------------------------------------------------------------------ aahframework { - name = "aahframework.org routes" - - # aah supports multi-domain routes configuration out-of-the-box. - # `host` used to determine domain routes for the incoming request. - # For e.g: example.org + name = "aahframework website routes" host = "localhost" - # Redirect trailing slash is to enable automatic redirection if the current - # route can't be matched but a `route` for the path with (without) - # the trailing slash exists. - # Default value is `true`. - #redirect_trailing_slash = true - - # aah supports out-of-the-box `405 MethodNotAllowed` status with `Allow` - # header as per `RFC7231`. Perfect for RESTful APIs. - # Default value is `true`. - #method_not_allowed = true - - # aah framework supports out-of-the-box `OPTIONS` request replies. - # User defined `OPTIONS` routes take priority over the automatic replies. - # Perfect for RESTful APIs. - # Default value is `true`. - #auto_options = true - - #---------------------------------------------------------------------------- - # Static Routes Configuration + #------------------------------------------------------------------------------ + # Static files Routes Configuration # To serve static files, it can be directory or individual file. # This section optional one, for e.g: RESTful APIs doesn't need this section. # Static files are delivered via `http.ServeContent`. # # Supported features: - # * Serve directory - # * Serve individual file - # * Directory listing + # - Serve directory + # - Serve individual file + # - Directory listing # - # Pick your choice of `unique name` for each `directory` or `individual` file + # Choose an `unique name` for each `directory` or `individual` file # static route definition. It is called `route name`. + # # Doc: https://docs.aahframework.org/routes-config.html#section-static - #---------------------------------------------------------------------------- + #------------------------------------------------------------------------------ static { - #------------------------------------- - # Static route name, pick a unique one - # for serving directory - #------------------------------------- public_assets { - # URL 'path' for serving directory - # Below definition means '/assets/**' path = "/assets" - - # Relative to application base directory or an absolute path dir = "static" - - # list directory, default is 'false' - #list = true } - # serving single file favicon { path = "/favicon.ico" - - # Direct file mapping, It can be relative to application base directory - # or an absolute path. For relative path, it uses below `base_dir` config value. file = "img/favicon.ico" } @@ -103,11 +72,11 @@ domains { } } - #----------------------------------------------------------------------------- - # Application routes - # Doc: https://docs.aahframework.org/routes-config.html#section-routes - # Doc: https://docs.aahframework.org/routes-config.html#namespace-group-routes - #----------------------------------------------------------------------------- + # ----------------------------------------------------------------------------- + # Routes Configuration + # + # Doc: https://docs.aahframework.org/routes-config.html#routes-configuration + # ----------------------------------------------------------------------------- routes { ping_pong { path = "/ping" @@ -115,29 +84,9 @@ domains { action = "HealthCheck" } - #------------------------------------------------------ - # Pick an unique name, it's called `route name`, - # used for reverse URL. - #------------------------------------------------------ index { - # path is used to match incoming requests - # It can contain `:name` - Named parameter and - # `*name` - Catch-all parameter path = "/" - - # HTTP method mapping, It can be multiple `HTTP` methods with comma separated - # Default value is `GET`, it can be lowercase or uppercase - #method = "GET" - - # The controller to be called for mapped URL path. - # * `controller` attribute supports with or without package prefix. For e.g.: `v1.User` or `User` - # * `controller` attribute supports both naming conventions. For e.g.: `User` or `UserController` controller = "SiteController" - - # The action/method name in the controller to be called for mapped URL path. - # Default values are mapped based on `HTTP` method. Refer doc for more info. - # Default action value for GET is 'Index'. - #action = "Index" } get_involved { @@ -203,10 +152,6 @@ domains { host = "docs.localhost" subdomain = true - method_not_allowed = true - redirect_trailing_slash = true - auto_options = false - routes { index { path = "/" @@ -234,12 +179,6 @@ domains { } } - #show_doc { - # path = "/:version/*content" - # controller = "DocController" - # action = "ShowDoc" - #} - } # end - docs app routes } # end - docs aahframework diff --git a/config/security.conf b/config/security.conf index 69be889..a340c3a 100644 --- a/config/security.conf +++ b/config/security.conf @@ -1,140 +1,18 @@ -###################################################### -# aahwebsite - Application Security Configuration +# ----------------------------------------------------------------------------- +# website - Application Security Configuration # -# Complete routes configuration reference: -# https://docs.aahframework.org/security-config.html -###################################################### +# Refer documentation to explore and customize the configurations. +# Doc: https://docs.aahframework.org/security-config.html +# ----------------------------------------------------------------------------- security { - auth_schemes { - - } - - # ------------------------------------------------------------------ - # Session configuration - # HTTP state management across multiple requests. - # Doc: https://docs.aahframework.org/app-config.html#section-session - # ------------------------------------------------------------------ - session { - # Session mode to choose whether HTTP session should be persisted or - # destroyed at the end of the request. Supported values are `stateless` - # and `stateful`. - # Default value is `stateless` - #mode = "stateful" - - # Session store is to choose where session value should be persisted. - #store { - # Currently aah framework supports `cookie` and `file` as store type. - # Also framework provide extensible `session.Storer` interface to - # add custom session store. - # Default value is `cookie` - #type = "cookie" - - # Filepath is used for file store to store session file in the file system. - # This is only applicable for `type="file"`, make sure application has - # Read/Write access to the directory. Provide absolute path. - #filepath = "/path/to/store/session/files" - #} - - # Session ID length - # Default value is 32 - #id_length = 32 - - # Time-to-live for session data. Valid time units are "m = minutes", - # "h = hours" and 0. - # Default value is `0`, cookie is deleted when the browser is closed. - #ttl = "" - - # Session cookie name prefix. - # Default value is `aah` For e.g.: `aah_session` - #prefix = "aah" - - # Default value is "" - #domain = "" - - # Default value is "/" - #path = "/" - - # HTTP session cookie HTTPOnly value. This option prevents XSS - # (Cross Site Scripting) attacks. - # Default value is true - #http_only = true - - # HTTP session cookie secure value. - # However if aah server is not configured with SSL then - # framework sets this value as false - # Default value is true - #secure = true - - # HTTP session cookie value signing using `HMAC`. For server farm this - # should be same in all instance. For HMAC sign & verify it recommend to use - # key size is `32` or `64` bytes. - # Default value is `64` bytes (generated when application gets created - # using `aah new` command). - #sign_key = "" - - # HTTP session cookie value encryption and decryption using `AES`. For server - # farm this should be same in all instance. AES algorithm is used, valid - # lengths are `16`, `24`, or `32` bytes to select `AES-128`, `AES-192`, or `AES-256`. - # Default value is `32` bytes (generated when application gets created - # using `aah new` command). - #enc_key = "" - - # Cleanup Interval is used to clean the expired session objects from store. - # This is only applicable for non-cookie store type. - # Cleanup performed in dedicated goroutine. Valid time units are - # `m -> minutes`, `h -> hours`. - # Default value is `30m`. - #cleanup_interval = "30m" - } # ------------------------------------------------------------ # Anti-CSRF Protection # Doc: https://docs.aahframework.org/anti-csrf-protection.html # ------------------------------------------------------------ anti_csrf { - # Enabling Anti-CSRF Protection. - # Default value is `true`. enable = false - - # Anti-CSRF secret length - # Default value is `32`. - #secret_length = 32 - - # HTTP Header name for cipher token - # Default value is `X-Anti-CSRF-Token`. - #header_name = "X-Anti-CSRF-Token" - - # Form field name for cipher token - # Default value is `anti_csrf_token`. - #form_field_name = "anti_csrf_token" - - #Anti-CSRF secure cookie prefix - # Default value is `aah`. Cookie name would be `aah_anti_csrf`. - #prefix = "aah" - - # Default value is `empty` string. - #domain = "" - - # Default value is `/`. - #path = "/" - - # Time-to-live for Anti-CSRF secret. Valid time units are "m = minutes", - # "h = hours" and 0. - # Default value is `24h`. - #ttl = "24h" - - # Anti-CSRF cookie value signing using `HMAC`. For server farm this - # should be same in all instance. For HMAC sign & verify it recommend to use - # key size is `32` or `64` bytes. - # Default value is `64` bytes (`aah new` generates strong one). - sign_key = "{{ .AppAntiCSRFSignKey }}" - - # Anti-CSRF cookie value encryption and decryption using `AES`. For server - # farm this should be same in all instance. AES algorithm is used, valid - # lengths are `16`, `24`, or `32` bytes to select `AES-128`, `AES-192`, or `AES-256`. - # Default value is `32` bytes (`aah new` generates strong one). - enc_key = "{{ .AppAntiCSRFEncKey }}" } # --------------------------------------------------------------------------- @@ -145,156 +23,7 @@ security { # Tip: Quick way to verify secure headers - https://securityheaders.io # --------------------------------------------------------------------------- http_header { - # X-XSS-Protection - # Designed to enable the cross-site scripting (XSS) filter built into modern - # web browsers. This is usually enabled by default, but using this header - # will enforce it. - # - # Learn more: - # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp - # https://www.keycdn.com/blog/x-xss-protection/ - # - # Encouraged to make use of header `Content-Security-Policy` with enhanced - # policy to reduce XSS risk along with header `X-XSS-Protection`. - # Default values is `1; mode=block`. - #xxssp = "1; mode=block" - - # X-Content-Type-Options - # Prevent Content Sniffing or MIME sniffing. - # - # Learn more: - # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto - # https://en.wikipedia.org/wiki/Content_sniffing - # Default value is `nosniff`. - #xcto = "nosniff" - - # X-Frame-Options - # Prevents Clickjacking. - # - # Learn more: - # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo - # https://www.keycdn.com/blog/x-frame-options/ - # Default value is `SAMEORIGIN`. - #xfo = "SAMEORIGIN" - - # Referrer-Policy - # This header governs which referrer information, sent in the Referer header, should - # be included with requests made. - # Referrer Policy has been a W3C Candidate Recommendation since 26 January 2017. - # - # Learn more: - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ - # https://www.w3.org/TR/referrer-policy/ - # Default value is `no-referrer-when-downgrade`. - #rp = "no-referrer-when-downgrade" - - # Strict-Transport-Security (STS, aka HSTS) - # STS header that lets a web site tell browsers that it should only be communicated - # with using HTTPS, instead of using HTTP. - # - # Learn more: - # https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet - # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - # - # Note: Framework checks that application uses SSL on startup then applies - # this header. Otherwise it does not apply. - sts { - # The time, in seconds, that the browser should remember that this site - # is only to be accessed using HTTPS. Valid time units are - # "s -> seconds", "m -> minutes", "h - hours". - # Default value is `30 days` in hours. - #max_age = "720h" - - # If enabled the STS rule applies to all of the site's subdomains as well. - # Default value is `false`. - include_subdomains = true - - # Before enabling preload option, please read about pros and cons from above links. - # Default value is `false`. - #preload = false - } - - # Content-Security-Policy (CSP) - # Provides a rich set of policy directives that enable fairly granular control - # over the resources that a page is allowed. Prevents XSS risks. - # - # Learn more: - # https://content-security-policy.com/ - # https://developers.google.com/web/fundamentals/security/csp/ - # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp - # - # Read above references and define your policy. - # - # Note: It is highly recommended to verify your policy directives in report - # only mode before enabling this header. Since its highly controls how your - # page is rendered. - # - # No default values, you have to provide it. - csp { - # Set of directives to govern the resources load on a page. - #directives = "" - - # By default, violation reports aren't sent. To enable violation reporting, - # you need to specify the report-uri policy directive. - report_uri = "" - - # Puts your `Content-Security-Policy` in report only mode, so that you can verify - # and then set `csp_report_only` value to false. - # Don't forget to set the `report-uri` for validation. - report_only = true - } - - # Public-Key-Pins PKP (aka HPKP) - # This header prevents the Man-in-the-Middle Attack (MITM) with forged certificates. - # - # Learn more: - # https://scotthelme.co.uk/hpkp-http-public-key-pinning/ - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning - # Read above references and define your keys. - # - # Note: - # - HPKP has the potential to lock out users for a long time if used incorrectly! - # The use of backup certificates and/or pinning the CA certificate is recommended. - # - It is highly recommended to verify your policy directives in report only mode - # before enabling this header - # - It is highly recommended to verify your PKP in report only mode before enabling this header. - # No default values, you have to provide it. - pkp { - # The Base64 encoded Subject Public Key Information (SPKI) fingerprint. - # These values gets added as `pin-sha256=; ...`. - #keys = [ - #"X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=", - #"MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=" - #] - - # The time that the browser should remember that this site is only to be - # accessed using one of the defined keys. - # Valid time units are "s -> seconds", "m -> minutes", "h - hours". - max_age = "720h" - - # If enabled the PKP keys applies to all of the site's subdomains as well. - # Default value is `false`. - include_subdomains = false - - # By default, Pin validation failure reports aren't sent. To enable Pin validation - # failure reporting, you need to specify the report-uri. - report_uri = "" - - # Puts your `Public-Key-Pins` in report only mode, so that you can verify - # and then set `pkp_report_only` value to false. - # Don't forget to set the `report-uri` for validation. - report_only = true - } - - # X-Permitted-Cross-Domain-Policies - # Restrict Adobe Flash Player's or PDF documents access via crossdomain.xml, - # and this header. - # - # Learn more: - # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xpcdp - # https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html - # Default value is `master-only`. + enable = true xpcdp = "" } } diff --git a/static/css/aah.css b/static/css/aah.css index ebd571c..289f843 100644 --- a/static/css/aah.css +++ b/static/css/aah.css @@ -1017,6 +1017,11 @@ pre, code { padding-right: 5px; } +.footer .about-aah code { + background-color: inherit; + font-weight: bold; +} + /* Algoli Search */ .aah-search-base-version { padding-top: 20px; diff --git a/views/common/footer.html b/views/common/footer.html index 58aacd0..3340c97 100644 --- a/views/common/footer.html +++ b/views/common/footer.html @@ -60,12 +60,12 @@

Sponsors

- Made with aah framework v{{ .AahVersion }}
- Site version {{ .AppBuildInfo.Version }}
+ Made with aah v{{ .AahVersion }}
+ site version {{ .AppBuildInfo.Version }}
- aah is pronounced as ah (IPA: /ˈɑː/); it means delight, joyful pleasure. aah framework brings aah into Go application development and its maintenance. + aah [ah] brings great joy in Go application development and its maintenance.