From b5af7796535d97d9c7af42539af01d787fcb3b4d Mon Sep 17 00:00:00 2001
From: Bo-Yi Wu <appleboy.tw@gmail.com>
Date: Tue, 20 May 2025 17:33:47 +0800
Subject: [PATCH] refactor: strengthen HTTPS security and improve code
 organization

- Enforce a minimum TLS version of 1.2 for HTTPS servers in RunTLS
- Refactor regular expression variable declarations into a grouped var block

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
---
 gin.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gin.go b/gin.go
index 1633fe13..ecf77c4c 100644
--- a/gin.go
+++ b/gin.go
@@ -5,6 +5,7 @@
 package gin
 
 import (
+	"crypto/tls"
 	"fmt"
 	"html/template"
 	"net"
@@ -41,8 +42,10 @@ var defaultTrustedCIDRs = []*net.IPNet{
 	},
 }
 
-var regSafePrefix = regexp.MustCompile("[^a-zA-Z0-9/-]+")
-var regRemoveRepeatedChar = regexp.MustCompile("/{2,}")
+var (
+	regSafePrefix         = regexp.MustCompile("[^a-zA-Z0-9/-]+")
+	regRemoveRepeatedChar = regexp.MustCompile("/{2,}")
+)
 
 // HandlerFunc defines the handler used by gin middleware as return value.
 type HandlerFunc func(*Context)
@@ -515,7 +518,15 @@ func (engine *Engine) RunTLS(addr, certFile, keyFile string) (err error) {
 			"Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.")
 	}
 
-	err = http.ListenAndServeTLS(addr, certFile, keyFile, engine.Handler())
+	server := &http.Server{
+		Addr:    addr,
+		Handler: engine.Handler(),
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12, // TLS 1.2 or higher
+		},
+	}
+
+	err = server.ListenAndServeTLS(certFile, keyFile)
 	return
 }