Security Hardening: Content Security Policy + more (#2108)

* Add CSP, varied security headers
2025-12-17 20:34:37 +03:00 · 2021-12-13 03:54:19 +00:00
parent 79e01589ca
commit b86c9fa8fe
4 changed files with 26 additions and 14 deletions
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -54,6 +54,7 @@ func Start(uiBox embed.FS, loginUIBox embed.FS) {
 	if c.GetLogAccess() {
 		r.Use(middleware.Logger)
 	}
+	r.Use(SecurityHeadersMiddleware)
 	r.Use(middleware.DefaultCompress)
 	r.Use(middleware.StripSlashes)
 	r.Use(cors.AllowAll().Handler)
@@ -342,6 +343,28 @@ var (
 	BaseURLCtxKey = &contextKey{"BaseURL"}
 )

+func SecurityHeadersMiddleware(next http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		c := config.GetInstance()
+		connectableOrigins := "connect-src data: 'self'"
+		if !c.IsNewSystem() && c.GetHandyKey() != "" {
+			connectableOrigins += " https://www.handyfeeling.com"
+		}
+		connectableOrigins += "; "
+
+		cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "script-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'; form-action 'none'"
+
+		w.Header().Set("Referrer-Policy", "same-origin")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-XSS-Protection", "1")
+		w.Header().Set("Content-Security-Policy", cspDirectives)
+
+		next.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(fn)
+}
+
 func BaseURLMiddleware(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()