Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-07-09 03:04:57 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated Things HTTP Middleware Developers Should Know (markdown)

Matt Holt 2017-06-03 13:19:03 -06:00
parent a318511d7b
commit 1fa6c119ec
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Things-HTTP-Middleware-Developers-Should-Know.md

@ -1,9 +1,10 @@
*Article is a WIP*
- Use `httpserver.Path` to compare base paths to know whether your handler should handle the request
- Don't touch the file system using a path from the request directly. Instead:
- Don't touch the file system using a path from the request directly, because doing so is vulnerable to path traversal attacks. Instead:
- To open a file, use `http.Dir` (standard lib)
- For anything else, use `httpserver.SafePath` to get a sanitized path
- Honor the [`HiddenFiles` field on the httpserver.SiteConfig struct](https://godoc.org/github.com/mholt/caddy/caddyhttp/httpserver#SiteConfig) if your middleware accesses files on disk.
- If you need to wrap or record the response, wrap your own `ResponseWriter` type with `httpserver.ResponseWriterWrapper` so it is guaranteed to implement some crucial interfaces.
- The `http.Request.URL` (especially its `.Path` value) may be changed by other "rewriting" middlewares. You can always access the original incoming URL via context: `req.Context().Value(httpserver.OriginalURLCtxKey).(url.URL)`
- Directives (and subdirectives) follow `underscore_convention` for naming. Lower-cased, with underscore as word separators. There may be rare exceptions to this (e.g. the `header` directive uses header field names, like `Content-Type` as subdirectives), but usually try to follow this convention. It will make the user's experience with your middleware consistent with the rest of Caddy. Avoid `camelCase` or `hyphen-separation`.
@ -12,3 +13,4 @@
**For plugin authors in general (TODO: move to separate article when we get enough content):**
- Plugins _may_ vendor their dependencies _as long as_ they do not export vendored types (i.e. they do not share vendored types with Caddy or with any other plugin). See https://github.com/mattfarina/golang-broken-vendor for why this is bad.
- Do NOT vendor `github.com/mholt/caddy` OR any of the packages in that repository OR any packages your plugin "registers" with if they also plug into Caddy. Doing so will cause your plugin to register with the vendored copy instead of the "main" package where the compilation originates.