about summary refs log tree commit diff stats
path: root/internal/config
diff options
context:
space:
mode:
authorAlan Pearce2024-05-30 14:01:35 +0200
committerAlan Pearce2024-05-30 14:01:35 +0200
commitb53769462bf830f860b7d741a3d0801afdbc9aa2 (patch)
tree1cdfffca23900dcf54cfa1f78e6012a73221a042 /internal/config
parent4698a97974ae82e7bd8592828c58294b222a58ff (diff)
downloadsearchix-b53769462bf830f860b7d741a3d0801afdbc9aa2.tar.lz
searchix-b53769462bf830f860b7d741a3d0801afdbc9aa2.tar.zst
searchix-b53769462bf830f860b7d741a3d0801afdbc9aa2.zip
feat: make security headers stricter
Diffstat (limited to 'internal/config')
-rw-r--r--internal/config/config.go5
-rw-r--r--internal/config/default.go22
2 files changed, 26 insertions, 1 deletions
diff --git a/internal/config/config.go b/internal/config/config.go
index 81c5f3c..c8739f0 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -117,6 +117,11 @@ func GetConfig(filename string) (*Config, error) {
 		}
 	}
 
+	config.Web.ContentSecurityPolicy.ScriptSrc = append(
+		config.Web.ContentSecurityPolicy.ScriptSrc,
+		config.Web.BaseURL.JoinPath("/static/").String(),
+	)
+
 	maps.DeleteFunc(config.Importer.Sources, func(_ string, v *Source) bool {
 		return !v.Enable
 	})
diff --git a/internal/config/default.go b/internal/config/default.go
index 370057e..5e7b388 100644
--- a/internal/config/default.go
+++ b/internal/config/default.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"strconv"
 	"time"
 
 	"github.com/pelletier/go-toml/v2"
@@ -12,6 +13,11 @@ var nixpkgs = Repository{
 	Repo:  "nixpkgs",
 }
 
+const none = "'none'"
+const self = "'self'"
+
+const maxAge = (1 * 365 * 24 * time.Hour)
+
 var defaultConfig = Config{
 	DataPath: "./data",
 	Web: &Web{
@@ -20,10 +26,24 @@ var defaultConfig = Config{
 		BaseURL:       mustURL("http://localhost:3000"),
 		Environment:   "development",
 		ContentSecurityPolicy: CSP{
-			DefaultSrc: []string{"'self'"},
+			DefaultSrc: []string{none},
+			BaseURI:    []string{none},
+			ImgSrc:     []string{self},
+			StyleSrc:   []string{self},
+			// added dynamically based on final value of BaseURL
+			ScriptSrc:  []string{},
+			FormAction: []string{self},
+			ConnectSrc: []string{self},
 		},
 		Headers: map[string]string{
+			"strict-transport-security": "max-age=" + strconv.FormatFloat(
+				maxAge.Seconds(),
+				'f',
+				0,
+				64,
+			),
 			"x-content-type-options": "nosniff",
+			"x-frame-options":        "DENY",
 		},
 	},
 	Importer: &Importer{