Refactor authentication middleware and enhance security headers

2025-02-25 13:39:24 -06:00
parent 8759bd2454
commit 0ba5eee981
6 changed files with 382 additions and 271 deletions
--- a/internal/middleware/security.go
+++ b/internal/middleware/security.go
@ -6,11 +6,27 @@ import (
 	"github.com/gorilla/sessions"
 )

-// SecureHeaders is a middleware function that adds secure headers to the HTTP response
+// SecurityHeaders adds security and cache-control headers to all responses
 func SecureHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Security-Policy", "default-src 'self'")
-		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		// Set strict cache control headers
+		w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0")
+		w.Header().Set("Pragma", "no-cache")
+		w.Header().Set("Expires", "0")
+
+		// Add security headers with updated CSP
+		w.Header().Set("Content-Security-Policy",
+			"default-src 'self'; "+
+				"script-src 'self' https://unpkg.com/htmx.org@* 'unsafe-inline'; "+
+				"style-src 'self' 'unsafe-inline'; "+
+				"img-src 'self' data:; "+
+				"connect-src 'self'; "+
+				"frame-ancestors 'none'; "+
+				"form-action 'self'")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+
 		next.ServeHTTP(w, r)
 	})
 }