CORS middleware. And fix middleware types for logging and securityheaders.

internal/middleware/security.go

@@ -7,49 +7,51 @@ import (
 )
 
 // SecurityHeaders adds security and cache-control headers to all responses
-func SecureHeaders(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Caching headers
-		w.Header().Set("Cache-Control", "no-store")
+func SecureHeaders() Middleware {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Caching headers
+			w.Header().Set("Cache-Control", "no-store")
 
-		// XSSProtection provides protection against cross-site scripting attack (XSS)
-		w.Header().Set("X-XSS-Protection", "1; mode=block")
+			// XSSProtection provides protection against cross-site scripting attack (XSS)
+			w.Header().Set("X-XSS-Protection", "1; mode=block")
 
-		// ContentTypeNosniff provides protection against overriding Content-Type
-		w.Header().Set("X-Content-Type-Options", "nosniff")
+			// ContentTypeNosniff provides protection against overriding Content-Type
+			w.Header().Set("X-Content-Type-Options", "nosniff")
 
-		// XFrameOptions prevents the page from being displayed in a frame
-		w.Header().Set("X-Frame-Options", "DENY")
+			// XFrameOptions prevents the page from being displayed in a frame
+			w.Header().Set("X-Frame-Options", "DENY")
 
-		// HSTS (HTTP Strict Transport Security) forces the browser to use HTTPS
-		w.Header().Set("Strict-Transport-Security", "max-age=3600; includeSubDomains")
+			// HSTS (HTTP Strict Transport Security) forces the browser to use HTTPS
+			w.Header().Set("Strict-Transport-Security", "max-age=3600; includeSubDomains")
 
-		// ReferrerPolicy sets the referrer information passed during navigation
-		w.Header().Set("Referrer-Policy", "no-referrer")
+			// ReferrerPolicy sets the referrer information passed during navigation
+			w.Header().Set("Referrer-Policy", "no-referrer")
 
-		// CSP controls the resources the user agent is allowed to load for a page
-		w.Header().Set("Content-Security-Policy",
-			"default-src 'self'; "+
-				// Allow HTMX to load from unpkg.com
-				"script-src 'self' https://unpkg.com/htmx.org@*; "+
-				"style-src 'self'; "+
-				"img-src 'self' data:; "+
-				"connect-src 'self'; "+
-				"frame-ancestors 'none'; "+
-				"form-action 'self'; "+
-				"base-uri 'self';")
+			// CSP controls the resources the user agent is allowed to load for a page
+			w.Header().Set("Content-Security-Policy",
+				"default-src 'self'; "+
+					// Allow HTMX to load from unpkg.com
+					"script-src 'self' https://unpkg.com/htmx.org@*; "+
+					"style-src 'self'; "+
+					"img-src 'self' data:; "+
+					"connect-src 'self'; "+
+					"frame-ancestors 'none'; "+
+					"form-action 'self'; "+
+					"base-uri 'self';")
 
-		// Cross-Origin-Embedder-Policy prevents cross-origin resources from being loaded
-		w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
+			// Cross-Origin-Embedder-Policy prevents cross-origin resources from being loaded
+			w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 
-		// Cross-Origin-Opener-Policy prevents cross-origin documents from being loaded
-		w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
+			// Cross-Origin-Opener-Policy prevents cross-origin documents from being loaded
+			w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 
-		// Cross-Origin-Resource-Policy prevents cross-origin resources from being loaded
-		w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
+			// Cross-Origin-Resource-Policy prevents cross-origin resources from being loaded
+			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 
-		next.ServeHTTP(w, r)
-	})
+			next.ServeHTTP(w, r)
+		})
+	}
 }
 
 // middleware/csrf.go