From 337b39481b74bb7acb6be208c610d8f948cb6a7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ferdinand=20M=C3=BCtsch?= <ferdinand@muetsch.io>
Date: Fri, 16 Apr 2021 12:35:49 +0200
Subject: [PATCH] chore: set basic security headers (resolve #174)

---
 main.go                 |  1 +
 middlewares/security.go | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 middlewares/security.go

diff --git a/main.go b/main.go
index 095bcc0..8212ab0 100644
--- a/main.go
+++ b/main.go
@@ -185,6 +185,7 @@ func main() {
 	if config.Sentry.Dsn != "" {
 		router.Use(middlewares.NewSentryMiddleware())
 	}
+	rootRouter.Use(middlewares.NewSecurityMiddleware())
 
 	// Route registrations
 	homeHandler.RegisterRoutes(rootRouter)
diff --git a/middlewares/security.go b/middlewares/security.go
new file mode 100644
index 0000000..377ffbe
--- /dev/null
+++ b/middlewares/security.go
@@ -0,0 +1,32 @@
+package middlewares
+
+import (
+	"net/http"
+)
+
+var securityHeaders = map[string]string{
+	"Cross-Origin-Opener-Policy": "same-origin",
+	"Content-Security-Policy":    "default-src 'self' 'unsafe-inline'; img-src 'self' https: data:; form-action 'self'; block-all-mixed-content;",
+	"X-Frame-Options":            "DENY",
+	"X-Content-Type-Options":     "nosniff",
+}
+
+// SecurityMiddleware is a handler to add some basic security headers to responses
+type SecurityMiddleware struct {
+	handler http.Handler
+}
+
+func NewSecurityMiddleware() func(http.Handler) http.Handler {
+	return func(h http.Handler) http.Handler {
+		return &SecurityMiddleware{h}
+	}
+}
+
+func (f *SecurityMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	for k, v := range securityHeaders {
+		if w.Header().Get(k) == "" {
+			w.Header().Set(k, v)
+		}
+	}
+	f.handler.ServeHTTP(w, r)
+}