fix(security): add HTTP security headers middleware
Set X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP, and Strict-Transport-Security on all responses to mitigate clickjacking, MIME sniffing, XSS, and downgrade attacks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7b568607a6
commit
5451ec3918
2 changed files with 13 additions and 1 deletions
3
main.go
3
main.go
|
|
@ -216,7 +216,8 @@ func main() {
|
|||
http.HandleFunc(fmt.Sprintf("%s/lost", *baseURL), lostPassword)
|
||||
|
||||
srv := &http.Server{
|
||||
Addr: *bind,
|
||||
Addr: *bind,
|
||||
Handler: securityHeaders(http.DefaultServeMux),
|
||||
}
|
||||
|
||||
// Serve content
|
||||
|
|
|
|||
11
static.go
11
static.go
|
|
@ -7,6 +7,17 @@ import (
|
|||
"net/http"
|
||||
)
|
||||
|
||||
func securityHeaders(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'unsafe-inline' https://stackpath.bootstrapcdn.com; style-src https://stackpath.bootstrapcdn.com; img-src 'self'; font-src https://stackpath.bootstrapcdn.com")
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
//go:embed all:static
|
||||
var assets embed.FS
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue