package middleware

import "net/http"

func ContentSecurityPolicy(next http.Handler) http.Handler {

	values := map[string]string{
		"default-src":     "'none'",
		"script-src":      "'self' https://umami.me-fit.eu",
		"connect-src":     "'self' https://umami.me-fit.eu",
		"img-src":         "'self'",
		"style-src":       "'self'",
		"form-action":     "'self'",
		"frame-ancestors": "'none'",
	}

	var headerValue string
	for key, value := range values {
		headerValue += key + " " + value + "; "
	}

	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// While this value can be overridden, it can't be moved to after the next.ServeHTTP call,
		// because if the response writer get's closed, the headers can't be set anymore
		w.Header().Set("Content-Security-Policy", headerValue)

		next.ServeHTTP(w, r)
	})
}