From b53769462bf830f860b7d741a3d0801afdbc9aa2 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Thu, 30 May 2024 14:01:35 +0200 Subject: feat: make security headers stricter --- internal/config/default.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'internal/config/default.go') diff --git a/internal/config/default.go b/internal/config/default.go index 370057e..5e7b388 100644 --- a/internal/config/default.go +++ b/internal/config/default.go @@ -1,6 +1,7 @@ package config import ( + "strconv" "time" "github.com/pelletier/go-toml/v2" @@ -12,6 +13,11 @@ var nixpkgs = Repository{ Repo: "nixpkgs", } +const none = "'none'" +const self = "'self'" + +const maxAge = (1 * 365 * 24 * time.Hour) + var defaultConfig = Config{ DataPath: "./data", Web: &Web{ @@ -20,10 +26,24 @@ var defaultConfig = Config{ BaseURL: mustURL("http://localhost:3000"), Environment: "development", ContentSecurityPolicy: CSP{ - DefaultSrc: []string{"'self'"}, + DefaultSrc: []string{none}, + BaseURI: []string{none}, + ImgSrc: []string{self}, + StyleSrc: []string{self}, + // added dynamically based on final value of BaseURL + ScriptSrc: []string{}, + FormAction: []string{self}, + ConnectSrc: []string{self}, }, Headers: map[string]string{ + "strict-transport-security": "max-age=" + strconv.FormatFloat( + maxAge.Seconds(), + 'f', + 0, + 64, + ), "x-content-type-options": "nosniff", + "x-frame-options": "DENY", }, }, Importer: &Importer{ -- cgit 1.4.1