aboutsummaryrefslogtreecommitdiffstats
path: root/web/web.go
diff options
context:
space:
mode:
Diffstat (limited to 'web/web.go')
-rw-r--r--web/web.go18
1 files changed, 17 insertions, 1 deletions
diff --git a/web/web.go b/web/web.go
index 4868577..11a5831 100644
--- a/web/web.go
+++ b/web/web.go
@@ -259,7 +259,7 @@ func NewRouter(cfg *config.Settings) http.Handler {
mux.Handle("/", GzipMiddleware(AuthWrap(http.HandlerFunc(indexHandler))))
- return CSRFMiddleware(mux)
+ return SecurityHeadersMiddleware(CSRFMiddleware(mux))
}
func Serve(cfg *config.Settings) {
@@ -383,3 +383,19 @@ func CSRFMiddleware(next http.Handler) http.Handler {
next.ServeHTTP(w, r)
})
}
+
+func SecurityHeadersMiddleware(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Header().Set("X-Content-Type-Options", "nosniff")
+ w.Header().Set("X-Frame-Options", "DENY")
+ w.Header().Set("X-XSS-Protection", "1; mode=block")
+ w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+ // Content-Security-Policy
+ // default-src 'self'
+ // style-src 'self' 'unsafe-inline' (for React/styled-components if used)
+ // img-src 'self' data: * (RSS images can be from anywhere)
+ // connect-src 'self' (API calls)
+ w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: *; connect-src 'self'; frame-ancestors 'none';")
+ next.ServeHTTP(w, r)
+ })
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-25 23:24:31 +0000