security: add headers middleware, session regeneration, and body size limits
All checks were successful
check / check (push) Successful in 6s
All checks were successful
check / check (push) Successful in 6s
- Add SecurityHeaders middleware applied globally: HSTS, X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, and Permissions-Policy headers on every response. - Add session regeneration (Regenerate method) after successful login to prevent session fixation attacks. Old session is destroyed and a new ID is issued. - Add MaxBodySize middleware using http.MaxBytesReader to limit POST/PUT/PATCH request bodies to 1 MB on all form endpoints (/pages, /sources, /source/*). - Update README.md: document SecurityHeaders and MaxBodySize in the middleware stack, update Security section, move security headers to completed TODO. Closes #34, closes #38, closes #39
This commit is contained in:
clawbot
@@ -11,12 +11,18 @@ import (
|
||||
"sneak.berlin/go/webhooker/static"
|
||||
)
|
||||
|
||||
// maxFormBodySize is the maximum allowed request body size (in bytes) for
|
||||
// form POST endpoints. 1 MB is generous for any form submission while
|
||||
// preventing abuse from oversized payloads.
|
||||
const maxFormBodySize int64 = 1 * 1024 * 1024 // 1 MB
|
||||
|
||||
func (s *Server) SetupRoutes() {
|
||||
s.router = chi.NewRouter()
|
||||
|
||||
// Global middleware stack — applied to every request.
|
||||
s.router.Use(middleware.Recoverer)
|
||||
s.router.Use(middleware.RequestID)
|
||||
s.router.Use(s.mw.SecurityHeaders())
|
||||
s.router.Use(s.mw.Logging())
|
||||
|
||||
// Metrics middleware (only if credentials are configured)
|
||||
@@ -60,6 +66,8 @@ func (s *Server) SetupRoutes() {
|
||||
|
||||
// pages that are rendered server-side
|
||||
s.router.Route("/pages", func(r chi.Router) {
|
||||
r.Use(s.mw.MaxBodySize(maxFormBodySize))
|
||||
|
||||
// Login page (no auth required)
|
||||
r.Get("/login", s.h.HandleLoginPage())
|
||||
r.Post("/login", s.h.HandleLoginSubmit())
|
||||
@@ -76,6 +84,7 @@ func (s *Server) SetupRoutes() {
|
||||
// Webhook management routes (require authentication)
|
||||
s.router.Route("/sources", func(r chi.Router) {
|
||||
r.Use(s.mw.RequireAuth())
|
||||
r.Use(s.mw.MaxBodySize(maxFormBodySize))
|
||||
r.Get("/", s.h.HandleSourceList()) // List all webhooks
|
||||
r.Get("/new", s.h.HandleSourceCreate()) // Show create form
|
||||
r.Post("/new", s.h.HandleSourceCreateSubmit()) // Handle create submission
|
||||
@@ -83,6 +92,7 @@ func (s *Server) SetupRoutes() {
|
||||
|
||||
s.router.Route("/source/{sourceID}", func(r chi.Router) {
|
||||
r.Use(s.mw.RequireAuth())
|
||||
r.Use(s.mw.MaxBodySize(maxFormBodySize))
|
||||
r.Get("/", s.h.HandleSourceDetail()) // View webhook details
|
||||
r.Get("/edit", s.h.HandleSourceEdit()) // Show edit form
|
||||
r.Post("/edit", s.h.HandleSourceEditSubmit()) // Handle edit submission
|
||||
|
||||
Reference in New Issue
Block a user