upload

internal/middleware/security_headers.go

@@ -0,0 +1,75 @@
+package middleware
+
+import (
+	"fotbal-club/internal/config"
+	"github.com/gin-gonic/gin"
+)
+
+// SecurityHeaders adds comprehensive security headers to all responses
+func SecurityHeaders() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Prevent MIME type sniffing
+		c.Header("X-Content-Type-Options", "nosniff")
+
+		// Prevent clickjacking
+		c.Header("X-Frame-Options", "DENY")
+
+		// Referrer policy
+		c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
+
+		// XSS Protection (legacy, but still useful)
+		c.Header("X-XSS-Protection", "1; mode=block")
+
+		// Permissions Policy (formerly Feature-Policy)
+		c.Header("Permissions-Policy", "geolocation=(), microphone=(), camera=(), payment=()")
+
+		// HSTS for HTTPS connections
+		if c.Request.TLS != nil || c.GetHeader("X-Forwarded-Proto") == "https" {
+			c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
+		}
+
+		// Strict Content-Security-Policy
+		csp := buildCSP(config.AppConfig.AppEnv == "production")
+		c.Header("Content-Security-Policy", csp)
+
+		// Additional security headers
+		c.Header("X-Permitted-Cross-Domain-Policies", "none")
+		c.Header("Cross-Origin-Embedder-Policy", "require-corp")
+		c.Header("Cross-Origin-Opener-Policy", "same-origin")
+		c.Header("Cross-Origin-Resource-Policy", "same-origin")
+
+		c.Next()
+	}
+}
+
+// buildCSP creates a strict Content-Security-Policy
+func buildCSP(production bool) string {
+	if production {
+		// Strict production CSP
+		return "default-src 'self'; " +
+			"script-src 'self' https://fonts.googleapis.com https://umami.tdvorak.dev; " +
+			"style-src 'self' https://fonts.googleapis.com; " +
+			"font-src 'self' https://fonts.gstatic.com data:; " +
+			"img-src 'self' data: https: blob:; " +
+			"connect-src 'self' https://umami.tdvorak.dev https://zonerama.tdvorak.dev; " +
+			"frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; " +
+			"object-src 'none'; " +
+			"base-uri 'self'; " +
+			"form-action 'self'; " +
+			"frame-ancestors 'none'; " +
+			"upgrade-insecure-requests;"
+	}
+
+	// Development CSP - slightly relaxed for local development
+	return "default-src 'self'; " +
+		"script-src 'self' 'unsafe-eval' 'unsafe-inline' https://fonts.googleapis.com https://umami.tdvorak.dev; " +
+		"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " +
+		"font-src 'self' https://fonts.gstatic.com data:; " +
+		"img-src 'self' data: https: http: blob:; " +
+		"connect-src 'self' https: http: ws: wss:; " +
+		"frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; " +
+		"object-src 'none'; " +
+		"base-uri 'self'; " +
+		"form-action 'self'; " +
+		"frame-ancestors 'none';"
+}