x/spend-sparrow
2
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix: move implementation to "internal" package
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 4m49s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 5m8s
Details

Browse Source
This commit was merged in pull request #138.
This commit is contained in:
Tim Wundenberg
2025-05-29 13:23:13 +02:00
parent 9bb0cc475d
commit 6219741634
72 changed files with 245 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
internal/handler/middleware/security_headers.go Normal file
View File

@@ -0,0 +1,40 @@
package middleware
import (
"net/http"
"spend-sparrow/internal/types"
)
func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
w.Header().Set("Content-Security-Policy",
"default-src 'none'; "+
"script-src 'self'; "+
"font-src 'self'; "+
"connect-src 'self'; "+
"img-src 'self'; "+
"style-src 'self'; "+
"form-action 'self'; "+
"frame-ancestors 'none'; ",
)
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=(), interest-cohort=()")
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
if r.Method == http.MethodOptions {
w.WriteHeader(http.StatusOK)
return
}
next.ServeHTTP(w, r)
})
}
}