internal/middleware/security.go

package middleware

import "net/http"

// SecurityHeaders adds common security headers to responses
func SecurityHeaders(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Prevent clickjacking
		w.Header().Set("X-Frame-Options", "SAMEORIGIN")

		// Prevent MIME type sniffing
		w.Header().Set("X-Content-Type-Options", "nosniff")

		// XSS Protection (legacy but still useful)
		w.Header().Set("X-XSS-Protection", "1; mode=block")

		// Referrer policy
		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")

		// Content Security Policy (adjust as needed)
		w.Header().Set("Content-Security-Policy",
			"default-src 'self'; "+
				"script-src 'self' 'unsafe-inline' https://unpkg.com; "+
				"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "+
				"font-src 'self' https://fonts.gstatic.com; "+
				"connect-src 'self'")

		next.ServeHTTP(w, r)
	})
}
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`package middleware`

			`import "net/http"`

			`// SecurityHeaders adds common security headers to responses`
			`func SecurityHeaders(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Prevent clickjacking`
			`w.Header().Set("X-Frame-Options", "SAMEORIGIN")`

			`// Prevent MIME type sniffing`
			`w.Header().Set("X-Content-Type-Options", "nosniff")`

			`// XSS Protection (legacy but still useful)`
			`w.Header().Set("X-XSS-Protection", "1; mode=block")`

			`// Referrer policy`
			`w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")`

			`// Content Security Policy (adjust as needed)`
			`w.Header().Set("Content-Security-Policy",`
			`"default-src 'self'; "+`
			`"script-src 'self' 'unsafe-inline' https://unpkg.com; "+`
			`"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "+`
			`"font-src 'self' https://fonts.gstatic.com; "+`
			`"connect-src 'self'")`

			`next.ServeHTTP(w, r)`
			`})`
			`}`