akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
eec8c28fb3c2e8c0bc387bb3139184b8d67f1b21
Charon/backend/internal/api/middleware/security.go
akanealw eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Details
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Details
Quality Checks / Backend (Go) (push) Has been cancelled
Details
Quality Checks / Frontend (React) (push) Has been cancelled
Details
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Details
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
Details
WAF integration / Coraza WAF Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Details
Repo Health Check / Repo health (push) Has been cancelled
Details
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Details
Prune Renovate Branches / prune (push) Has been cancelled
Details
changed perms
2026-04-22 18:19:14 +00:00

131 lines
4.4 KiB
Go
Executable File
Raw Blame History

package middleware
import (
"fmt"
"strings"
"github.com/gin-gonic/gin"
)
// SecurityHeadersConfig holds configuration for the security headers middleware.
type SecurityHeadersConfig struct {
// IsDevelopment enables less strict settings for local development
IsDevelopment bool
// CustomCSPDirectives allows adding extra CSP directives
CustomCSPDirectives map[string]string
}
// DefaultSecurityHeadersConfig returns a secure default configuration.
func DefaultSecurityHeadersConfig() SecurityHeadersConfig {
return SecurityHeadersConfig{
IsDevelopment: false,
CustomCSPDirectives: nil,
}
}
// SecurityHeaders returns middleware that sets security-related HTTP headers.
// This implements Phase 1 of the security hardening plan.
func SecurityHeaders(cfg SecurityHeadersConfig) gin.HandlerFunc {
return func(c *gin.Context) {
// Build Content-Security-Policy
csp := buildCSP(cfg)
c.Header("Content-Security-Policy", csp)
// Strict-Transport-Security (HSTS)
// max-age=31536000 = 1 year
// includeSubDomains ensures all subdomains also use HTTPS
// preload allows browser preload lists (requires submission to hstspreload.org)
if !cfg.IsDevelopment {
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
}
// X-Frame-Options: Prevent clickjacking
// DENY prevents any framing; SAMEORIGIN would allow same-origin framing
c.Header("X-Frame-Options", "DENY")
// X-Content-Type-Options: Prevent MIME sniffing
c.Header("X-Content-Type-Options", "nosniff")
// X-XSS-Protection: Enable browser XSS filtering (legacy but still useful)
// mode=block tells browser to block the response if XSS is detected
c.Header("X-XSS-Protection", "1; mode=block")
// Referrer-Policy: Control referrer information sent with requests
// strict-origin-when-cross-origin sends full URL for same-origin, origin only for cross-origin
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
// Permissions-Policy: Restrict browser features
// Disable features that aren't needed for security
c.Header("Permissions-Policy", buildPermissionsPolicy())
// Cross-Origin-Opener-Policy: Isolate browsing context
// Skip in development mode to avoid browser warnings on HTTP
// In production, Caddy always uses HTTPS, so safe to set unconditionally
if !cfg.IsDevelopment {
c.Header("Cross-Origin-Opener-Policy", "same-origin")
}
// Cross-Origin-Resource-Policy: Prevent cross-origin reads
c.Header("Cross-Origin-Resource-Policy", "same-origin")
// Cross-Origin-Embedder-Policy: Require CORP for cross-origin resources
// Note: This can break some external resources, use with caution
// c.Header("Cross-Origin-Embedder-Policy", "require-corp")
c.Next()
}
}
// buildCSP constructs the Content-Security-Policy header value.
func buildCSP(cfg SecurityHeadersConfig) string {
// Base CSP directives for a secure single-page application
directives := map[string]string{
"default-src": "'self'",
"script-src": "'self'",
"style-src": "'self' 'unsafe-inline'", // unsafe-inline needed for many CSS-in-JS solutions
"img-src": "'self' data: https:", // Allow HTTPS images and data URIs
"font-src": "'self' data:", // Allow self-hosted fonts and data URIs
"connect-src": "'self'", // API connections
"frame-src": "'none'", // No iframes
"object-src": "'none'", // No plugins (Flash, etc.)
"base-uri": "'self'", // Restrict base tag
"form-action": "'self'", // Restrict form submissions
}
// In development, allow more sources for hot reloading, etc.
if cfg.IsDevelopment {
directives["script-src"] = "'self' 'unsafe-inline' 'unsafe-eval'"
directives["connect-src"] = "'self' ws: wss:" // WebSocket for HMR
}
// Apply custom directives
for key, value := range cfg.CustomCSPDirectives {
directives[key] = value
}
// Build the CSP string
var parts []string
for directive, value := range directives {
parts = append(parts, fmt.Sprintf("%s %s", directive, value))
}
return strings.Join(parts, "; ")
}
// buildPermissionsPolicy constructs the Permissions-Policy header value.
func buildPermissionsPolicy() string {
// Disable features we don't need
policies := []string{
"accelerometer=()",
"camera=()",
"geolocation=()",
"gyroscope=()",
"magnetometer=()",
"microphone=()",
"payment=()",
"usb=()",
}
return strings.Join(policies, ", ")
}
Reference in New Issue View Git Blame Copy Permalink