2024-11-23 20:52:12 +00:00
1 changed files with 16 additions and 1 deletions
--- a/middleware/content_security_policiy.go
+++ b/middleware/content_security_policiy.go
@@ -4,10 +4,25 @@ import "net/http"

 func ContentSecurityPolicy(next http.Handler) http.Handler {

+	values := map[string]string{
+		"default-src":     "'none'",
+		"script-src":      "'self' https://umami.me-fit.eu",
+		"connect-src":     "'self' https://umami.me-fit.eu",
+		"img-src":         "'self'",
+		"style-src":       "'self'",
+		"form-action":     "'self'",
+		"frame-ancestors": "'none'",
+	}
+
+	var headerValue string
+	for key, value := range values {
+		headerValue += key + " " + value + "; "
+	}
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// While this value can be overridden, it can't be moved to after the next.ServeHTTP call,
 		// because if the response writer get's closed, the headers can't be set anymore
-		w.Header().Set("Content-Security-Policy", "default-src 'self' https://umami.me-fit.eu; frame-ancestors 'none'")
+		w.Header().Set("Content-Security-Policy", headerValue)

 		next.ServeHTTP(w, r)
 	})