feat(security): #314 include all proposed security headers

2024-12-12 21:37:23 +01:00
parent 60fe2789cc
commit 1ad694ce2b
8 changed files with 48 additions and 85 deletions
--- a/handler/middleware/security_headers.go
+++ b/handler/middleware/security_headers.go
@@ -0,0 +1,46 @@
+package middleware
+
+import (
+	"net/http"
+
+	"me-fit/types"
+)
+
+func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Handler {
+	cspValues := map[string]string{
+		"default-src":     "'none'",
+		"script-src":      "'self' https://umami.me-fit.eu",
+		"connect-src":     "'self' https://umami.me-fit.eu",
+		"img-src":         "'self'",
+		"style-src":       "'self'",
+		"form-action":     "'self'",
+		"frame-ancestors": "'none'",
+	}
+
+	var csp string
+	for key, value := range cspValues {
+		csp += key + " " + value + "; "
+	}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("X-Content-Type-Options", "nosniff")
+			w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
+			w.Header().Set("Content-Security-Policy", csp)
+			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
+			w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
+			w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
+			w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=()")
+			w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+			w.Header().Set("Permissions-Policy", "interest-cohort=()")
+
+			if r.Method == "OPTIONS" {
+				w.WriteHeader(http.StatusOK)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}