feat: make security headers stricter

2 files changed, 26 insertions, 1 deletions

diff --git a/internal/config/config.go b/internal/config/config.go
index 81c5f3c..c8739f0 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -117,6 +117,11 @@ func GetConfig(filename string) (*Config, error) {
 		}
 	}
 
+	config.Web.ContentSecurityPolicy.ScriptSrc = append(
+		config.Web.ContentSecurityPolicy.ScriptSrc,
+		config.Web.BaseURL.JoinPath("/static/").String(),
+	)
+
 	maps.DeleteFunc(config.Importer.Sources, func(_ string, v *Source) bool {
 		return !v.Enable
 	})
diff --git a/internal/config/default.go b/internal/config/default.go
index 370057e..5e7b388 100644
--- a/internal/config/default.go
+++ b/internal/config/default.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"strconv"
 	"time"
 
 	"github.com/pelletier/go-toml/v2"
@@ -12,6 +13,11 @@ var nixpkgs = Repository{
 	Repo:  "nixpkgs",
 }
 
+const none = "'none'"
+const self = "'self'"
+
+const maxAge = (1 * 365 * 24 * time.Hour)
+
 var defaultConfig = Config{
 	DataPath: "./data",
 	Web: &Web{
@@ -20,10 +26,24 @@ var defaultConfig = Config{
 		BaseURL:       mustURL("http://localhost:3000"),
 		Environment:   "development",
 		ContentSecurityPolicy: CSP{
-			DefaultSrc: []string{"'self'"},
+			DefaultSrc: []string{none},
+			BaseURI:    []string{none},
+			ImgSrc:     []string{self},
+			StyleSrc:   []string{self},
+			// added dynamically based on final value of BaseURL
+			ScriptSrc:  []string{},
+			FormAction: []string{self},
+			ConnectSrc: []string{self},
 		},
 		Headers: map[string]string{
+			"strict-transport-security": "max-age=" + strconv.FormatFloat(
+				maxAge.Seconds(),
+				'f',
+				0,
+				64,
+			),
 			"x-content-type-options": "nosniff",
+			"x-frame-options":        "DENY",
 		},
 	},
 	Importer: &Importer{