From 45a1cbdfd4249c010bdc381225ad12facad18e6e Mon Sep 17 00:00:00 2001
From: Tim Wundenberg <tim@wundenbergs.de>
Date: Tue, 19 Nov 2024 21:47:53 +0100
Subject: [PATCH] feat(security): enable Content-Security-Plolicy #263

---
 handler/default.go                     |  2 +-
 middleware/content_security_policiy.go | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 middleware/content_security_policiy.go

diff --git a/handler/default.go b/handler/default.go
index b1dc2fc..fb2f75a 100644
--- a/handler/default.go
+++ b/handler/default.go
@@ -35,5 +35,5 @@ func GetHandler(d *sql.DB, serverSettings *types.ServerSettings) http.Handler {
 
 	authHandler.handle(router)
 
-	return middleware.Logging(middleware.EnableCors(serverSettings, router))
+	return middleware.Logging(middleware.ContentSecurityPolicy(middleware.EnableCors(serverSettings, router)))
 }
diff --git a/middleware/content_security_policiy.go b/middleware/content_security_policiy.go
new file mode 100644
index 0000000..61670f4
--- /dev/null
+++ b/middleware/content_security_policiy.go
@@ -0,0 +1,11 @@
+package middleware
+
+import "net/http"
+
+func ContentSecurityPolicy(next http.Handler) http.Handler {
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Security-Policy", "default-src 'self'")
+		next.ServeHTTP(w, r)
+	})
+}