From 08032aab10f0e1429d25ecae1acf6c40d63e9ff4 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 09:20:40 -0800
Subject: security: add HTTP security headers (fixing NK-7xuajb)

---
 internal/crawler/crawler_test.go | 5 +++++
 internal/safehttp/safehttp.go    | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

(limited to 'internal')

diff --git a/internal/crawler/crawler_test.go b/internal/crawler/crawler_test.go
index e0c4c6b..a8a9c9c 100644
--- a/internal/crawler/crawler_test.go
+++ b/internal/crawler/crawler_test.go
@@ -8,10 +8,15 @@ import (
 	"testing"
 
 	"adammathes.com/neko/config"
+	"adammathes.com/neko/internal/safehttp"
 	"adammathes.com/neko/models"
 	"adammathes.com/neko/models/feed"
 )
 
+func init() {
+	safehttp.AllowLocal = true
+}
+
 func setupTestDB(t *testing.T) {
 	t.Helper()
 	config.Config.DBFile = ":memory:"
diff --git a/internal/safehttp/safehttp.go b/internal/safehttp/safehttp.go
index cfc70f1..e0859c4 100644
--- a/internal/safehttp/safehttp.go
+++ b/internal/safehttp/safehttp.go
@@ -8,7 +8,10 @@ import (
 	"time"
 )
 
-var privateIPBlocks []*net.IPNet
+var (
+	privateIPBlocks []*net.IPNet
+	AllowLocal      bool // For testing
+)
 
 func init() {
 	for _, cidr := range []string{
@@ -27,6 +30,9 @@ func init() {
 }
 
 func isPrivateIP(ip net.IP) bool {
+	if AllowLocal {
+		return false
+	}
 	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
 		return true
 	}
-- 
cgit v1.2.3