From f582b92e2b8e2a301380e420794e71200f0dbdfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?William=20Herg=C3=A8s?= <william@herges.fr>
Date: Wed, 29 Oct 2025 14:46:50 +0100
Subject: feat(security): set headers

---
 backend/router.go       | 15 +++++++++++++--
 frontend/index.ts       |  1 +
 frontend/scss/main.scss | 14 ++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/backend/router.go b/backend/router.go
index fd72711..3e6a39a 100644
--- a/backend/router.go
+++ b/backend/router.go
@@ -67,15 +67,26 @@ func NewRouter(debug bool, cfg *Config, assets fs.FS) *chi.Mux {
 		LogRequestHeaders:  []string{"Origin"},
 		LogResponseHeaders: []string{},
 	}))
+	// security headers
 	r.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			r.Header.Add("Access-Control-Allow-Origin", fmt.Sprintf("https://%s", cfg.Domain))
+			// prevent tracking
+			w.Header().Add("Referrer-Policy", "no-referrer")
+			// prevent iframe
+			w.Header().Add("X-Frame-Options", "deny")
+			// prevent bad content being parsed
+			w.Header().Add("X-Content-Type-Options", "nosniff")
+			w.Header().Add("X-Permitted-Cross-Domain-Policies", "none")
+			// content security, cors & co
+			w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' *.%s; object-src 'none';", cfg.Domain))
+			w.Header().Add("Access-Control-Allow-Origin", fmt.Sprintf("https://%s", cfg.Domain))
 			if !debug {
-				r.Header.Add("Access-Control-Max-Age", fmt.Sprintf("%d", 24*60*60))
+				w.Header().Add("Access-Control-Max-Age", fmt.Sprintf("%d", 24*60*60))
 			}
 			next.ServeHTTP(w, r)
 		})
 	})
+	// context
 	r.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := context.WithValue(r.Context(), configKey, cfg)
diff --git a/frontend/index.ts b/frontend/index.ts
index b970e5f..d3c974f 100644
--- a/frontend/index.ts
+++ b/frontend/index.ts
@@ -1,6 +1,7 @@
 import htmx from "htmx.org";
 
 htmx.config.historyRestoreAsHxRequest = false;
+htmx.config.includeIndicatorStyles = false;
 
 function setupAnchors() {
   document.querySelectorAll("a").forEach((e) => {
diff --git a/frontend/scss/main.scss b/frontend/scss/main.scss
index d704d74..ced6763 100644
--- a/frontend/scss/main.scss
+++ b/frontend/scss/main.scss
@@ -33,3 +33,17 @@
 
   font-size: 18px;
 }
+
+/* for htmx */
+
+.htmx-indicator {
+  opacity: 0;
+}
+.htmx-request .htmx-indicator {
+  opacity: 1;
+  transition: opacity 200ms ease-in;
+}
+.htmx-request.htmx-indicator {
+  opacity: 1;
+  transition: opacity 200ms ease-in;
+}
-- 
cgit v1.2.3