MyClub/internal/middleware/security_headers.go

package middleware

import (
	"fotbal-club/internal/config"
	"github.com/gin-gonic/gin"
)

// SecurityHeaders adds comprehensive security headers to all responses
func SecurityHeaders() gin.HandlerFunc {
	return func(c *gin.Context) {
		// Prevent MIME type sniffing
		c.Header("X-Content-Type-Options", "nosniff")

		// Prevent clickjacking (allow same-origin for PDF previews)
		c.Header("X-Frame-Options", "SAMEORIGIN")

		// Referrer policy
		c.Header("Referrer-Policy", "strict-origin-when-cross-origin")

		// XSS Protection (legacy, but still useful)
		c.Header("X-XSS-Protection", "1; mode=block")

		// Permissions Policy (formerly Feature-Policy)
		c.Header("Permissions-Policy", "geolocation=(), microphone=(), camera=(), payment=()")

		// HSTS for HTTPS connections
		if c.Request.TLS != nil || c.GetHeader("X-Forwarded-Proto") == "https" {
			c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
		}

		// Strict Content-Security-Policy
		csp := buildCSP(config.AppConfig.AppEnv == "production")
		c.Header("Content-Security-Policy", csp)

		// Additional security headers
		c.Header("X-Permitted-Cross-Domain-Policies", "none")
		c.Header("Cross-Origin-Embedder-Policy", "require-corp")
		c.Header("Cross-Origin-Opener-Policy", "same-origin")
		// Allow assets (e.g., /uploads) to be embedded from different origin (frontend vs backend)
		c.Header("Cross-Origin-Resource-Policy", "cross-origin")

		c.Next()
	}
}

// buildCSP creates a strict Content-Security-Policy
func buildCSP(production bool) string {
	if production {
		// Strict production CSP
		return "default-src 'self'; " +
			"script-src 'self' https://fonts.googleapis.com https://umami.tdvorak.dev; " +
			"style-src 'self' https://fonts.googleapis.com; " +
			"font-src 'self' https://fonts.gstatic.com data:; " +
			"img-src 'self' data: https: blob:; " +
			"connect-src 'self' https://umami.tdvorak.dev https://zonerama.tdvorak.dev; " +
			"frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; " +
			"object-src 'none'; " +
			"base-uri 'self'; " +
			"form-action 'self'; " +
			"frame-ancestors 'self'; " +
			"upgrade-insecure-requests;"
	}

	// Development CSP - slightly relaxed for local development
	return "default-src 'self'; " +
		"script-src 'self' 'unsafe-eval' 'unsafe-inline' https://fonts.googleapis.com https://umami.tdvorak.dev; " +
		"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " +
		"font-src 'self' https://fonts.gstatic.com data:; " +
		"img-src 'self' data: https: http: blob:; " +
		"connect-src 'self' https: http: ws: wss:; " +
		"frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; " +
		"object-src 'none'; " +
		"base-uri 'self'; " +
		"form-action 'self'; " +
		"frame-ancestors 'self';"
}