From 08032aab10f0e1429d25ecae1acf6c40d63e9ff4 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 09:20:40 -0800
Subject: security: add HTTP security headers (fixing NK-7xuajb)

---
 web/web.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'web/web.go')

diff --git a/web/web.go b/web/web.go
index 4868577..11a5831 100644
--- a/web/web.go
+++ b/web/web.go
@@ -259,7 +259,7 @@ func NewRouter(cfg *config.Settings) http.Handler {
 
 	mux.Handle("/", GzipMiddleware(AuthWrap(http.HandlerFunc(indexHandler))))
 
-	return CSRFMiddleware(mux)
+	return SecurityHeadersMiddleware(CSRFMiddleware(mux))
 }
 
 func Serve(cfg *config.Settings) {
@@ -383,3 +383,19 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func SecurityHeadersMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		// Content-Security-Policy
+		// default-src 'self'
+		// style-src 'self' 'unsafe-inline' (for React/styled-components if used)
+		// img-src 'self' data: * (RSS images can be from anywhere)
+		// connect-src 'self' (API calls)
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: *; connect-src 'self'; frame-ancestors 'none';")
+		next.ServeHTTP(w, r)
+	})
+}
-- 
cgit v1.2.3