aboutsummaryrefslogtreecommitdiff
path: root/backend
diff options
context:
space:
mode:
Diffstat (limited to 'backend')
-rw-r--r--backend/router.go15
1 files changed, 13 insertions, 2 deletions
diff --git a/backend/router.go b/backend/router.go
index fd72711..3e6a39a 100644
--- a/backend/router.go
+++ b/backend/router.go
@@ -67,15 +67,26 @@ func NewRouter(debug bool, cfg *Config, assets fs.FS) *chi.Mux {
LogRequestHeaders: []string{"Origin"},
LogResponseHeaders: []string{},
}))
+ // security headers
r.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- r.Header.Add("Access-Control-Allow-Origin", fmt.Sprintf("https://%s", cfg.Domain))
+ // prevent tracking
+ w.Header().Add("Referrer-Policy", "no-referrer")
+ // prevent iframe
+ w.Header().Add("X-Frame-Options", "deny")
+ // prevent bad content being parsed
+ w.Header().Add("X-Content-Type-Options", "nosniff")
+ w.Header().Add("X-Permitted-Cross-Domain-Policies", "none")
+ // content security, cors & co
+ w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' *.%s; object-src 'none';", cfg.Domain))
+ w.Header().Add("Access-Control-Allow-Origin", fmt.Sprintf("https://%s", cfg.Domain))
if !debug {
- r.Header.Add("Access-Control-Max-Age", fmt.Sprintf("%d", 24*60*60))
+ w.Header().Add("Access-Control-Max-Age", fmt.Sprintf("%d", 24*60*60))
}
next.ServeHTTP(w, r)
})
})
+ // context
r.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx := context.WithValue(r.Context(), configKey, cfg)
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-03 16:03:23 +0000