diff --git a/main.go b/main.go index f2c4c37..f76f06c 100644 --- a/main.go +++ b/main.go @@ -216,7 +216,8 @@ func main() { http.HandleFunc(fmt.Sprintf("%s/lost", *baseURL), lostPassword) srv := &http.Server{ - Addr: *bind, + Addr: *bind, + Handler: securityHeaders(http.DefaultServeMux), } // Serve content diff --git a/static.go b/static.go index 0570d91..e808fe1 100644 --- a/static.go +++ b/static.go @@ -7,6 +7,17 @@ import ( "net/http" ) +func securityHeaders(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin") + w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'unsafe-inline' https://stackpath.bootstrapcdn.com; style-src https://stackpath.bootstrapcdn.com; img-src 'self'; font-src https://stackpath.bootstrapcdn.com") + w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains") + next.ServeHTTP(w, r) + }) +} + //go:embed all:static var assets embed.FS