diff options
| -rw-r--r-- | backend/router.go | 15 | ||||
| -rw-r--r-- | frontend/index.ts | 1 | ||||
| -rw-r--r-- | frontend/scss/main.scss | 14 |
3 files changed, 28 insertions, 2 deletions
diff --git a/backend/router.go b/backend/router.go index fd72711..3e6a39a 100644 --- a/backend/router.go +++ b/backend/router.go @@ -67,15 +67,26 @@ func NewRouter(debug bool, cfg *Config, assets fs.FS) *chi.Mux { LogRequestHeaders: []string{"Origin"}, LogResponseHeaders: []string{}, })) + // security headers r.Use(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - r.Header.Add("Access-Control-Allow-Origin", fmt.Sprintf("https://%s", cfg.Domain)) + // prevent tracking + w.Header().Add("Referrer-Policy", "no-referrer") + // prevent iframe + w.Header().Add("X-Frame-Options", "deny") + // prevent bad content being parsed + w.Header().Add("X-Content-Type-Options", "nosniff") + w.Header().Add("X-Permitted-Cross-Domain-Policies", "none") + // content security, cors & co + w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' *.%s; object-src 'none';", cfg.Domain)) + w.Header().Add("Access-Control-Allow-Origin", fmt.Sprintf("https://%s", cfg.Domain)) if !debug { - r.Header.Add("Access-Control-Max-Age", fmt.Sprintf("%d", 24*60*60)) + w.Header().Add("Access-Control-Max-Age", fmt.Sprintf("%d", 24*60*60)) } next.ServeHTTP(w, r) }) }) + // context r.Use(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ctx := context.WithValue(r.Context(), configKey, cfg) diff --git a/frontend/index.ts b/frontend/index.ts index b970e5f..d3c974f 100644 --- a/frontend/index.ts +++ b/frontend/index.ts @@ -1,6 +1,7 @@ import htmx from "htmx.org"; htmx.config.historyRestoreAsHxRequest = false; +htmx.config.includeIndicatorStyles = false; function setupAnchors() { document.querySelectorAll("a").forEach((e) => { diff --git a/frontend/scss/main.scss b/frontend/scss/main.scss index d704d74..ced6763 100644 --- a/frontend/scss/main.scss +++ b/frontend/scss/main.scss @@ -33,3 +33,17 @@ font-size: 18px; } + +/* for htmx */ + +.htmx-indicator { + opacity: 0; +} +.htmx-request .htmx-indicator { + opacity: 1; + transition: opacity 200ms ease-in; +} +.htmx-request.htmx-indicator { + opacity: 1; + transition: opacity 200ms ease-in; +} |