From 2e349a8b8319d01f7cba5260fab0bff664d710c8 Mon Sep 17 00:00:00 2001 From: sneak Date: Thu, 8 Jan 2026 10:02:17 -0800 Subject: [PATCH] Implement security headers middleware Adds X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and X-XSS-Protection headers to all responses. --- internal/middleware/middleware.go | 14 +++++++++++++- internal/server/routes.go | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/internal/middleware/middleware.go b/internal/middleware/middleware.go index 4c9de94..a0b5515 100644 --- a/internal/middleware/middleware.go +++ b/internal/middleware/middleware.go @@ -135,10 +135,22 @@ func (s *Middleware) MetricsAuth() func(http.Handler) http.Handler { } // SecurityHeaders returns a middleware that adds security headers to responses. +// These headers help protect against common web vulnerabilities. func (s *Middleware) SecurityHeaders() func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // TODO: implement security headers + // Prevent MIME type sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + + // Prevent clickjacking + w.Header().Set("X-Frame-Options", "DENY") + + // Control referrer information + w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin") + + // Disable XSS filtering (modern browsers don't need it, can cause issues) + w.Header().Set("X-XSS-Protection", "0") + next.ServeHTTP(w, r) }) } diff --git a/internal/server/routes.go b/internal/server/routes.go index 5d3c0d3..cbc376a 100644 --- a/internal/server/routes.go +++ b/internal/server/routes.go @@ -17,6 +17,7 @@ func (s *Server) SetupRoutes() { s.router.Use(middleware.Recoverer) s.router.Use(middleware.RequestID) + s.router.Use(s.mw.SecurityHeaders()) s.router.Use(s.mw.Logging()) // Add metrics middleware only if credentials are configured