Add security response headers

Fixes #18 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 16:00:56 -08:00 · 2026-02-17 16:00:56 -08:00 · bcc912077d
parent e3ef03ddcd
commit bcc912077d
3 changed files with 14 additions and 0 deletions
--- a/internal/handlers/admin/routes.go
+++ b/internal/handlers/admin/routes.go
@ -29,6 +29,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logging)
 	r.Use(middleware.Recovery)
+	r.Use(middleware.SecurityHeaders(strings.HasPrefix(deps.Config.BaseURL, "https")))

 	tsAuth := &TailscaleAuth{allowedUsers: deps.Config.TailscaleAllowedUsers}
 	r.Use(tsAuth.Middleware)
--- a/internal/handlers/public/routes.go
+++ b/internal/handlers/public/routes.go
@ -31,6 +31,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logging)
 	r.Use(middleware.Recovery)
+	r.Use(middleware.SecurityHeaders(strings.HasPrefix(deps.Config.BaseURL, "https")))
 	r.Use(deps.Auth.SessionMiddleware)

 	csrfSecret := []byte(deps.Config.SessionSecret)
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@ -44,3 +44,15 @@ func Recovery(c *gin.Context) {
 	}()
 	c.Next()
 }
+
+func SecurityHeaders(secure bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("X-Content-Type-Options", "nosniff")
+		c.Header("X-Frame-Options", "DENY")
+		c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
+		if secure {
+			c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+		}
+		c.Next()
+	}
+}