favoritter/internal/middleware/security.go

// SPDX-License-Identifier: AGPL-3.0-or-later

package middleware

import "net/http"

// SecurityHeaders adds security-related HTTP headers to every response.
func SecurityHeaders(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		h := w.Header()
		h.Set("X-Content-Type-Options", "nosniff")
		h.Set("X-Frame-Options", "DENY")
		h.Set("Referrer-Policy", "strict-origin-when-cross-origin")
		h.Set("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
		// CSP allows inline styles from Pico CSS and scripts from self only.
		// The 'unsafe-inline' for style-src is needed for Pico CSS.
		h.Set("Content-Security-Policy",
			"default-src 'self'; "+
				"style-src 'self' 'unsafe-inline'; "+
				"img-src 'self' data:; "+
				"frame-ancestors 'none'")
		next.ServeHTTP(w, r)
	})
}
feat: implement Phase 1 (auth) and Phase 2 (faves CRUD) foundation Go backend with server-rendered HTML/HTMX frontend, SQLite database, and filesystem image storage. Self-hostable single-binary architecture. Phase 1 — Authentication & project foundation: - Argon2id password hashing with timing-attack prevention - Session management with cookie-based auth and periodic cleanup - Login, signup (open/requests/closed modes), logout, forced password reset - CSRF double-submit cookie pattern with HTMX auto-inclusion - Proxy-aware real IP extraction (WireGuard/Tailscale support) - Configurable base path for subdomain and subpath deployment - Rate limiting on auth endpoints with background cleanup - Security headers (CSP, X-Frame-Options, Referrer-Policy) - Structured logging with slog, graceful shutdown - Pico CSS + HTMX vendored and embedded via go:embed Phase 2 — Faves CRUD with tags and images: - Full CRUD for favorites with ownership checks - Image upload with EXIF stripping, resize to 1920px, UUID filenames - Tag system with HTMX autocomplete (prefix search, popularity-sorted) - Privacy controls (public/private per fave, user-configurable default) - Tag browsing, pagination, batch tag loading (avoids N+1) - OpenGraph meta tags on public fave detail pages Includes code quality pass: extracted shared helpers, fixed signup request persistence bug, plugged rate limiter memory leak, removed dead code, and logged previously-swallowed errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 15:55:22 +02:00			`// SPDX-License-Identifier: AGPL-3.0-or-later`

			`package middleware`

			`import "net/http"`

			`// SecurityHeaders adds security-related HTTP headers to every response.`
			`func SecurityHeaders(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`h := w.Header()`
			`h.Set("X-Content-Type-Options", "nosniff")`
			`h.Set("X-Frame-Options", "DENY")`
			`h.Set("Referrer-Policy", "strict-origin-when-cross-origin")`
			`h.Set("Permissions-Policy", "camera=(), microphone=(), geolocation=()")`
			`// CSP allows inline styles from Pico CSS and scripts from self only.`
			`// The 'unsafe-inline' for style-src is needed for Pico CSS.`
			`h.Set("Content-Security-Policy",`
			`"default-src 'self'; "+`
			`"style-src 'self' 'unsafe-inline'; "+`
			`"img-src 'self' data:; "+`
			`"frame-ancestors 'none'")`
			`next.ServeHTTP(w, r)`
			`})`
			`}`