internal/middleware/security.go

package middleware

import (
	"net/http"
	"os"
	"strings"
	"sync"
	"time"

	c "github.com/juanatsap/cv-site/internal/constants"
)

// SecurityHeaders adds production-grade security headers to responses
func SecurityHeaders(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Prevent clickjacking
		w.Header().Set(c.HeaderXFrameOptions, c.FrameOptionsSameOrigin)

		// Prevent MIME type sniffing
		w.Header().Set(c.HeaderXContentTypeOpts, c.NoSniff)

		// XSS Protection (legacy but still useful for older browsers)
		w.Header().Set(c.HeaderXXSSProtection, c.XSSProtection)

		// Referrer policy - strict privacy
		w.Header().Set(c.HeaderReferrerPolicy, c.ReferrerPolicy)

		// Permissions Policy - disable unnecessary features
		w.Header().Set(c.HeaderPermissionsPolicy,
			"geolocation=(), microphone=(), camera=(), payment=(), usb=(), "+
				"magnetometer=(), gyroscope=(), accelerometer=()")

		// Content Security Policy (comprehensive)
		csp := "default-src 'self'; " +
			"script-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net https://esm.sh https://matomo.morenorub.io; " +
			"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " +
			"font-src 'self' https://fonts.gstatic.com; " +
			"img-src 'self' data: https:; " +
			"connect-src 'self' https://api.iconify.design https://matomo.morenorub.io; " +
			"frame-ancestors 'self'; " +
			"base-uri 'self'; " +
			"form-action 'self'"
		w.Header().Set(c.HeaderCSP, csp)

		// HSTS - only in production with HTTPS
		if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
			// 1 year max-age, include subdomains
			w.Header().Set(c.HeaderHSTS, c.HSTSMaxAge)
		}

		next.ServeHTTP(w, r)
	})
}

// OriginChecker restricts API access to requests from allowed origins only
// Prevents external sites from hotlinking/accessing resource-intensive endpoints
func OriginChecker(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Get allowed domains from environment (comma-separated)
		// Example: ALLOWED_ORIGINS="yourdomain.com,www.yourdomain.com"
		allowedOriginsEnv := os.Getenv("ALLOWED_ORIGINS")

		// If empty, add "juan.andres.morenorub.io", as it is the domain of the CV
		if allowedOriginsEnv == "" {
			allowedOriginsEnv = "juan.andres.morenorub.io"
		}

		// Default to localhost for development
		allowedOrigins := []string{"localhost", "127.0.0.1"}

		if allowedOriginsEnv != "" {
			customOrigins := strings.Split(allowedOriginsEnv, ",")
			for _, origin := range customOrigins {
				allowedOrigins = append(allowedOrigins, strings.TrimSpace(origin))
			}
		}

		// Check Origin header (for CORS requests)
		origin := r.Header.Get(c.HeaderOrigin)
		if origin != "" {
			if !isAllowedOrigin(origin, allowedOrigins) {
				http.Error(w, "Forbidden: External access not allowed", http.StatusForbidden)
				return
			}
		}

		// Check Referer header (for direct requests)
		referer := r.Header.Get(c.HeaderReferer)
		if referer != "" {
			if !isAllowedOrigin(referer, allowedOrigins) {
				http.Error(w, "Forbidden: External access not allowed", http.StatusForbidden)
				return
			}
		}

		// Allow if no Origin/Referer (direct browser access)
		// This allows your own site visitors to access the endpoint
		if origin == "" && referer == "" {
			// For production, you might want to be stricter here
			// For now, allow it (users can bookmark /export/pdf directly)
			if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction && r.URL.Path == c.RouteExportPDF {
				// In production, require at least a referer for PDF endpoint
				http.Error(w, "Forbidden: Direct access not allowed", http.StatusForbidden)
				return
			}
		}

		next.ServeHTTP(w, r)
	})
}

// isAllowedOrigin checks if the origin/referer matches allowed domains
func isAllowedOrigin(originURL string, allowedOrigins []string) bool {
	originURL = strings.TrimSpace(originURL)
	originURL = strings.TrimPrefix(originURL, "http://")
	originURL = strings.TrimPrefix(originURL, "https://")

	// Extract domain from URL (remove path)
	parts := strings.Split(originURL, "/")
	domain := parts[0]

	// Remove port if present
	domain = strings.Split(domain, ":")[0]

	for _, allowed := range allowedOrigins {
		if strings.EqualFold(domain, allowed) {
			return true
		}
	}

	return false
}

// rateLimitEntry tracks rate limiting per IP
type rateLimitEntry struct {
	count     int
	resetTime time.Time
}

// RateLimiter provides simple in-memory rate limiting
type RateLimiter struct {
	mu      sync.RWMutex
	clients map[string]*rateLimitEntry
	limit   int           // requests allowed
	window  time.Duration // time window
}

// NewRateLimiter creates a new rate limiter
func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
	rl := &RateLimiter{
		clients: make(map[string]*rateLimitEntry),
		limit:   limit,
		window:  window,
	}

	// Cleanup expired entries every minute
	go rl.cleanup()

	return rl
}

// Middleware returns rate limiting middleware
func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Get client IP (handle X-Forwarded-For for proxies)
		ip := r.Header.Get(c.HeaderXForwardedFor)
		if ip == "" {
			ip = r.Header.Get(c.HeaderXRealIP)
		}
		if ip == "" {
			ip = strings.Split(r.RemoteAddr, ":")[0]
		}

		if !rl.allow(ip) {
			w.Header().Set(c.HeaderRetryAfter, "60")
			http.Error(w, "Rate limit exceeded. Please try again later.", http.StatusTooManyRequests)
			return
		}

		next.ServeHTTP(w, r)
	})
}

// allow checks if the request is allowed based on rate limit
func (rl *RateLimiter) allow(ip string) bool {
	rl.mu.Lock()
	defer rl.mu.Unlock()

	now := time.Now()

	entry, exists := rl.clients[ip]
	if !exists || now.After(entry.resetTime) {
		// New client or window expired
		rl.clients[ip] = &rateLimitEntry{
			count:     1,
			resetTime: now.Add(rl.window),
		}
		return true
	}

	if entry.count >= rl.limit {
		return false
	}

	entry.count++
	return true
}

// cleanup removes expired entries periodically
func (rl *RateLimiter) cleanup() {
	ticker := time.NewTicker(1 * time.Minute)
	defer ticker.Stop()

	for range ticker.C {
		rl.mu.Lock()
		now := time.Now()
		for ip, entry := range rl.clients {
			if now.After(entry.resetTime) {
				delete(rl.clients, ip)
			}
		}
		rl.mu.Unlock()
	}
}

// CacheControl adds cache headers to static files
// 1 hour in development, 1 day in production
func CacheControl(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		cacheValue := c.CachePublic1Hour
		if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
			cacheValue = c.CachePublic1Day
		}

		w.Header().Set(c.HeaderCacheControl, cacheValue)
		next.ServeHTTP(w, r)
	})
}

// DynamicCacheControl adds appropriate cache headers for dynamic HTML pages
// Short cache with must-revalidate for dynamic content
func DynamicCacheControl(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// For dynamic HTML pages: short cache, must revalidate
		// This improves performance while ensuring fresh content
		if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
			// Production: 5 minutes cache, but must revalidate
			w.Header().Set(c.HeaderCacheControl, c.CachePublic5Min)
		} else {
			// Development: no cache for easier testing
			w.Header().Set(c.HeaderCacheControl, c.CacheNoStore)
		}
		next.ServeHTTP(w, r)
	})
}
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`package middleware`

from mac 2025-10-31 11:06:38 +00:00			`import (`
			`"net/http"`
			`"os"`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`"strings"`
			`"sync"`
			`"time"`
refactor: centralize constants and reorganize documentation 2025-12-06 16:27:12 +00:00
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`c "github.com/juanatsap/cv-site/internal/constants"`
from mac 2025-10-31 11:06:38 +00:00			`)`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
from mac 2025-10-31 11:06:38 +00:00			`// SecurityHeaders adds production-grade security headers to responses`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`func SecurityHeaders(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Prevent clickjacking`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderXFrameOptions, c.FrameOptionsSameOrigin)`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
			`// Prevent MIME type sniffing`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderXContentTypeOpts, c.NoSniff)`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
from mac 2025-10-31 11:06:38 +00:00			`// XSS Protection (legacy but still useful for older browsers)`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderXXSSProtection, c.XSSProtection)`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
from mac 2025-10-31 11:06:38 +00:00			`// Referrer policy - strict privacy`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderReferrerPolicy, c.ReferrerPolicy)`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
from mac 2025-10-31 11:06:38 +00:00			`// Permissions Policy - disable unnecessary features`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderPermissionsPolicy,`
from mac 2025-10-31 11:06:38 +00:00			`"geolocation=(), microphone=(), camera=(), payment=(), usb=(), "+`
			`"magnetometer=(), gyroscope=(), accelerometer=()")`

			`// Content Security Policy (comprehensive)`
			`csp := "default-src 'self'; " +`
feat: lazy load ninja-keys + HTML Invoker Commands API 2025-12-02 08:29:54 +00:00			`"script-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net https://esm.sh https://matomo.morenorub.io; " +`
from mac 2025-10-31 11:06:38 +00:00			`"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " +`
			`"font-src 'self' https://fonts.gstatic.com; " +`
			`"img-src 'self' data: https:; " +`
refactor: Separate CV domain and UI presentation models into distinct packages 2025-11-20 16:17:56 +00:00			`"connect-src 'self' https://api.iconify.design https://matomo.morenorub.io; " +`
from mac 2025-10-31 11:06:38 +00:00			`"frame-ancestors 'self'; " +`
			`"base-uri 'self'; " +`
			`"form-action 'self'"`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderCSP, csp)`
from mac 2025-10-31 11:06:38 +00:00
			`// HSTS - only in production with HTTPS`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {`
from mac 2025-10-31 11:06:38 +00:00			`// 1 year max-age, include subdomains`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderHSTS, c.HSTSMaxAge)`
from mac 2025-10-31 11:06:38 +00:00			`}`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
			`next.ServeHTTP(w, r)`
			`})`
			`}`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00
			`// OriginChecker restricts API access to requests from allowed origins only`
			`// Prevents external sites from hotlinking/accessing resource-intensive endpoints`
			`func OriginChecker(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Get allowed domains from environment (comma-separated)`
			`// Example: ALLOWED_ORIGINS="yourdomain.com,www.yourdomain.com"`
			`allowedOriginsEnv := os.Getenv("ALLOWED_ORIGINS")`

			`// If empty, add "juan.andres.morenorub.io", as it is the domain of the CV`
			`if allowedOriginsEnv == "" {`
			`allowedOriginsEnv = "juan.andres.morenorub.io"`
			`}`

			`// Default to localhost for development`
			`allowedOrigins := []string{"localhost", "127.0.0.1"}`

			`if allowedOriginsEnv != "" {`
			`customOrigins := strings.Split(allowedOriginsEnv, ",")`
			`for _, origin := range customOrigins {`
			`allowedOrigins = append(allowedOrigins, strings.TrimSpace(origin))`
			`}`
			`}`

			`// Check Origin header (for CORS requests)`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`origin := r.Header.Get(c.HeaderOrigin)`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`if origin != "" {`
			`if !isAllowedOrigin(origin, allowedOrigins) {`
			`http.Error(w, "Forbidden: External access not allowed", http.StatusForbidden)`
			`return`
			`}`
			`}`

			`// Check Referer header (for direct requests)`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`referer := r.Header.Get(c.HeaderReferer)`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`if referer != "" {`
			`if !isAllowedOrigin(referer, allowedOrigins) {`
			`http.Error(w, "Forbidden: External access not allowed", http.StatusForbidden)`
			`return`
			`}`
			`}`

			`// Allow if no Origin/Referer (direct browser access)`
			`// This allows your own site visitors to access the endpoint`
			`if origin == "" && referer == "" {`
			`// For production, you might want to be stricter here`
			`// For now, allow it (users can bookmark /export/pdf directly)`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction && r.URL.Path == c.RouteExportPDF {`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`// In production, require at least a referer for PDF endpoint`
			`http.Error(w, "Forbidden: Direct access not allowed", http.StatusForbidden)`
			`return`
			`}`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`// isAllowedOrigin checks if the origin/referer matches allowed domains`
			`func isAllowedOrigin(originURL string, allowedOrigins []string) bool {`
			`originURL = strings.TrimSpace(originURL)`
			`originURL = strings.TrimPrefix(originURL, "http://")`
			`originURL = strings.TrimPrefix(originURL, "https://")`

			`// Extract domain from URL (remove path)`
			`parts := strings.Split(originURL, "/")`
			`domain := parts[0]`

			`// Remove port if present`
			`domain = strings.Split(domain, ":")[0]`

			`for _, allowed := range allowedOrigins {`
			`if strings.EqualFold(domain, allowed) {`
			`return true`
			`}`
			`}`

			`return false`
			`}`

			`// rateLimitEntry tracks rate limiting per IP`
			`type rateLimitEntry struct {`
			`count int`
			`resetTime time.Time`
			`}`

			`// RateLimiter provides simple in-memory rate limiting`
			`type RateLimiter struct {`
			`mu sync.RWMutex`
			`clients map[string]*rateLimitEntry`
			`limit int // requests allowed`
			`window time.Duration // time window`
			`}`

			`// NewRateLimiter creates a new rate limiter`
			`func NewRateLimiter(limit int, window time.Duration) *RateLimiter {`
			`rl := &RateLimiter{`
			`clients: make(map[string]*rateLimitEntry),`
			`limit: limit,`
			`window: window,`
			`}`

			`// Cleanup expired entries every minute`
			`go rl.cleanup()`

			`return rl`
			`}`

			`// Middleware returns rate limiting middleware`
			`func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Get client IP (handle X-Forwarded-For for proxies)`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`ip := r.Header.Get(c.HeaderXForwardedFor)`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`if ip == "" {`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`ip = r.Header.Get(c.HeaderXRealIP)`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`}`
			`if ip == "" {`
			`ip = strings.Split(r.RemoteAddr, ":")[0]`
			`}`

			`if !rl.allow(ip) {`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderRetryAfter, "60")`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`http.Error(w, "Rate limit exceeded. Please try again later.", http.StatusTooManyRequests)`
			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`// allow checks if the request is allowed based on rate limit`
			`func (rl *RateLimiter) allow(ip string) bool {`
			`rl.mu.Lock()`
			`defer rl.mu.Unlock()`

			`now := time.Now()`

			`entry, exists := rl.clients[ip]`
			`if !exists \|\| now.After(entry.resetTime) {`
			`// New client or window expired`
			`rl.clients[ip] = &rateLimitEntry{`
			`count: 1,`
			`resetTime: now.Add(rl.window),`
			`}`
			`return true`
			`}`

			`if entry.count >= rl.limit {`
			`return false`
			`}`

			`entry.count++`
			`return true`
			`}`

			`// cleanup removes expired entries periodically`
			`func (rl *RateLimiter) cleanup() {`
			`ticker := time.NewTicker(1 * time.Minute)`
			`defer ticker.Stop()`

			`for range ticker.C {`
			`rl.mu.Lock()`
			`now := time.Now()`
			`for ip, entry := range rl.clients {`
			`if now.After(entry.resetTime) {`
			`delete(rl.clients, ip)`
			`}`
			`}`
			`rl.mu.Unlock()`
			`}`
			`}`
feat: simplify architecture by removing cache layer and centralizing routes 2025-11-12 17:53:24 +00:00
			`// CacheControl adds cache headers to static files`
			`// 1 hour in development, 1 day in production`
			`func CacheControl(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`cacheValue := c.CachePublic1Hour`
			`if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {`
			`cacheValue = c.CachePublic1Day`
feat: simplify architecture by removing cache layer and centralizing routes 2025-11-12 17:53:24 +00:00			`}`

refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderCacheControl, cacheValue)`
feat: simplify architecture by removing cache layer and centralizing routes 2025-11-12 17:53:24 +00:00			`next.ServeHTTP(w, r)`
			`})`
			`}`
feat: comprehensive WCAG 2.1 AA accessibility audit 2025-12-02 10:46:53 +00:00
			`// DynamicCacheControl adds appropriate cache headers for dynamic HTML pages`
			`// Short cache with must-revalidate for dynamic content`
			`func DynamicCacheControl(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// For dynamic HTML pages: short cache, must revalidate`
			`// This improves performance while ensuring fresh content`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {`
feat: comprehensive WCAG 2.1 AA accessibility audit 2025-12-02 10:46:53 +00:00			`// Production: 5 minutes cache, but must revalidate`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderCacheControl, c.CachePublic5Min)`
feat: comprehensive WCAG 2.1 AA accessibility audit 2025-12-02 10:46:53 +00:00			`} else {`
			`// Development: no cache for easier testing`
refactor: use 'c' alias for constants package 2025-12-06 16:31:42 +00:00			`w.Header().Set(c.HeaderCacheControl, c.CacheNoStore)`
feat: comprehensive WCAG 2.1 AA accessibility audit 2025-12-02 10:46:53 +00:00			`}`
			`next.ServeHTTP(w, r)`
			`})`
			`}`