security: add headers middleware, session regeneration, and body size limits (#41)

## Summary This PR implements three security hardening measures: ### Security Headers Middleware (closes #34) Adds a `SecurityHeaders()` middleware applied globally to all routes. Every response now includes: - `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload` - `X-Content-Type-Options: nosniff` - `X-Frame-Options: DENY` - `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy: camera=(), microphone=(), geolocation=()` ### Session Fixation Prevention (closes #38) Adds a `Regenerate()` method to the session manager that destroys the old session and creates a new one with a fresh ID, copying all session values. Called after successful login to prevent session fixation attacks. ### Request Body Size Limits (closes #39) Adds a `MaxBodySize()` middleware using `http.MaxBytesReader` to limit POST/PUT/PATCH request bodies to 1 MB. Applied to all form endpoints (`/pages`, `/sources`, `/source/*`). ## Files Changed - `internal/middleware/middleware.go` — Added `SecurityHeaders()` and `MaxBodySize()` middleware - `internal/session/session.go` — Added `Regenerate()` method for session fixation prevention - `internal/handlers/auth.go` — Updated login handler to regenerate session after authentication - `internal/server/routes.go` — Added SecurityHeaders globally, MaxBodySize to form route groups - `README.md` — Documented new middleware in stack, updated Security section, moved items to completed TODO closes #34, closes #38, closes #39 Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #41 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-05 12:32:56 +01:00
parent a51e863017
commit 1fbcf96581
5 changed files with 127 additions and 9 deletions
--- a/internal/session/session.go
+++ b/internal/session/session.go
@@ -135,3 +135,50 @@ func (s *Session) Destroy(sess *sessions.Session) {
 	sess.Options.MaxAge = -1
 	s.ClearUser(sess)
 }
+
+// Regenerate creates a new session with the same values but a fresh ID.
+// The old session is destroyed (MaxAge = -1) and saved, then a new session
+// is created. This prevents session fixation attacks by ensuring the
+// session ID changes after privilege escalation (e.g. login).
+func (s *Session) Regenerate(r *http.Request, w http.ResponseWriter, oldSess *sessions.Session) (*sessions.Session, error) {
+	// Copy the values from the old session
+	oldValues := make(map[interface{}]interface{})
+	for k, v := range oldSess.Values {
+		oldValues[k] = v
+	}
+
+	// Destroy the old session
+	oldSess.Options.MaxAge = -1
+	s.ClearUser(oldSess)
+	if err := oldSess.Save(r, w); err != nil {
+		return nil, fmt.Errorf("failed to destroy old session: %w", err)
+	}
+
+	// Create a new session (gorilla/sessions generates a new ID)
+	newSess, err := s.store.New(r, SessionName)
+	if err != nil {
+		// store.New may return an error alongside a new empty session
+		// if the old cookie is now invalid. That is expected after we
+		// destroyed it above. Only fail on a nil session.
+		if newSess == nil {
+			return nil, fmt.Errorf("failed to create new session: %w", err)
+		}
+	}
+
+	// Restore the copied values into the new session
+	for k, v := range oldValues {
+		newSess.Values[k] = v
+	}
+
+	// Apply the standard session options (the destroyed old session had
+	// MaxAge = -1, which store.New might inherit from the cookie).
+	newSess.Options = &sessions.Options{
+		Path:     "/",
+		MaxAge:   86400 * 7,
+		HttpOnly: true,
+		Secure:   !s.config.IsDev(),
+		SameSite: http.SameSiteLaxMode,
+	}
+
+	return newSess, nil
+}