Add security response headers

Fixes #18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/handlers/admin/routes.go

@@ -29,6 +29,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logging)
 	r.Use(middleware.Recovery)
+	r.Use(middleware.SecurityHeaders(strings.HasPrefix(deps.Config.BaseURL, "https")))
 
 	tsAuth := &TailscaleAuth{allowedUsers: deps.Config.TailscaleAllowedUsers}
 	r.Use(tsAuth.Middleware)

internal/handlers/public/routes.go

@@ -31,6 +31,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logging)
 	r.Use(middleware.Recovery)
+	r.Use(middleware.SecurityHeaders(strings.HasPrefix(deps.Config.BaseURL, "https")))
 	r.Use(deps.Auth.SessionMiddleware)
 
 	csrfSecret := []byte(deps.Config.SessionSecret)

internal/middleware/middleware.go

@@ -44,3 +44,15 @@ func Recovery(c *gin.Context) {
 	}()
 	c.Next()
 }
+
+func SecurityHeaders(secure bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("X-Content-Type-Options", "nosniff")
+		c.Header("X-Frame-Options", "DENY")
+		c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
+		if secure {
+			c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+		}
+		c.Next()
+	}
+}