refactor: use 'c' alias for constants package

- Update all imports from 'constants' to 'c' for brevity - Replace all 'constants.' references with 'c.' - Fix remaining hardcoded content-type headers in httputil - Fix remaining hardcoded User-Agent and Accept headers - Rename CSRF receiver from 'c' to 'csrf' to avoid conflict - Add ContentTypePlainSimple constant for Accept header matching - Fix JSONCached to use proper integer formatting
2025-12-06 16:31:42 +00:00
parent 2c7f8de242
commit 30ed21ff7a
21 changed files with 1335 additions and 167 deletions
@@ -5,7 +5,7 @@ import (
 	"os"
 	"strconv"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // Config holds all application configuration
@@ -50,7 +50,7 @@ type EmailConfig struct {
 func Load() *Config {
 	return &Config{
 		Server: ServerConfig{
-			Port:         getEnv(constants.EnvVarPort, constants.DefaultPort),
+			Port:         getEnv(c.EnvVarPort, c.DefaultPort),
 			Host:         getEnv("HOST", "localhost"),
 			ReadTimeout:  getEnvAsInt("READ_TIMEOUT", 15),
 			WriteTimeout: getEnvAsInt("WRITE_TIMEOUT", 15),
@@ -105,6 +105,6 @@ func getEnvAsBool(key string, defaultValue bool) bool {
 }

 func isDevelopment() bool {
-	env := getEnv(constants.EnvVarGOEnv, constants.EnvDevelopment)
-	return env == constants.EnvDevelopment || env == "dev"
+	env := getEnv(c.EnvVarGOEnv, c.EnvDevelopment)
+	return env == c.EnvDevelopment || env == "dev"
 }
@@ -12,6 +12,7 @@ const (
 	ContentTypeHTML         = "text/html; charset=utf-8"
 	ContentTypeHTMLFragment = "text/html" // For HTMX fragments
 	ContentTypePlainText    = "text/plain; charset=utf-8"
+	ContentTypePlainSimple  = "text/plain" // For Accept header matching
 	ContentTypePDF          = "application/pdf"
 	ContentTypeFormURLEnc   = "application/x-www-form-urlencoded"
 )
@@ -7,7 +7,7 @@ import (
 	"strings"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	"github.com/juanatsap/cv-site/internal/services"
 	"github.com/juanatsap/cv-site/internal/templates"
 )
@@ -143,7 +143,7 @@ func (h *ContactHandler) Submit(w http.ResponseWriter, r *http.Request) {

 // renderSuccess renders the success partial
 func (h *ContactHandler) renderSuccess(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	w.WriteHeader(http.StatusOK)

 	// Fallback HTML for when templates aren't available (e.g., in tests)
@@ -173,7 +173,7 @@ func (h *ContactHandler) renderSuccess(w http.ResponseWriter, r *http.Request) {

 // renderError renders the error partial
 func (h *ContactHandler) renderError(w http.ResponseWriter, r *http.Request, message string) {
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	w.WriteHeader(http.StatusBadRequest)

 	// Fallback HTML for when templates aren't available (e.g., in tests)
@@ -5,7 +5,7 @@ import (
 	"log"
 	"net/http"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	"github.com/juanatsap/cv-site/internal/httputil"
 )

@@ -89,8 +89,8 @@ func (h *CVHandler) CmdKData(w http.ResponseWriter, r *http.Request) {
 	}

 	// Set headers and encode response
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeJSON)
-	w.Header().Set(constants.HeaderCacheControl, constants.CachePublic1Hour)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeJSON)
+	w.Header().Set(c.HeaderCacheControl, c.CachePublic1Hour)

 	if err := json.NewEncoder(w).Encode(response); err != nil {
 		log.Printf("ERROR encoding CMD+K response: %v", err)
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	"github.com/juanatsap/cv-site/internal/httputil"
 	"github.com/juanatsap/cv-site/internal/services"
 )
@@ -173,7 +173,7 @@ func (h *CVHandler) renderContactSuccess(w http.ResponseWriter, r *http.Request,
 	}

 	// Render the success template
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	w.WriteHeader(http.StatusOK)

 	tmpl, err := h.templates.Render("contact-success")
@@ -224,7 +224,7 @@ func (h *CVHandler) renderContactError(w http.ResponseWriter, r *http.Request, e
 	// Render the error template
 	// Return 200 OK with error content - HTMX 1.9.x logs console.error for non-2xx responses
 	// Validation errors are expected form feedback, not system errors
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	w.WriteHeader(http.StatusOK)

 	tmpl, err := h.templates.Render("contact-error")
@@ -11,7 +11,7 @@ import (
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing/object"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	cvmodel "github.com/juanatsap/cv-site/internal/models/cv"
 )

@@ -343,7 +343,7 @@ func (h *CVHandler) prepareTemplateData(lang string) (map[string]interface{}, er

 	// Check if production mode AND CSS bundle exists
 	// This ensures graceful fallback to modular CSS if bundle not built
-	isProduction := os.Getenv(constants.EnvVarGOEnv) == constants.EnvProduction
+	isProduction := os.Getenv(c.EnvVarGOEnv) == c.EnvProduction
 	if isProduction {
 		bundlePath := filepath.Join("static", "dist", "bundle.min.css")
 		if _, err := os.Stat(bundlePath); os.IsNotExist(err) {
@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	"github.com/juanatsap/cv-site/internal/httputil"
 	"github.com/juanatsap/cv-site/internal/middleware"
 )
@@ -25,13 +25,13 @@ func (h *CVHandler) ToggleLength(w http.ResponseWriter, r *http.Request) {
 	currentLength := prefs.CVLength

 	// Toggle state
-	newLength := constants.CVLengthLong
-	if currentLength == constants.CVLengthLong {
-		newLength = constants.CVLengthShort
+	newLength := c.CVLengthLong
+	if currentLength == c.CVLengthLong {
+		newLength = c.CVLengthShort
 	}

 	// Save new state
-	middleware.SetPreferenceCookie(w, constants.CookieCVLength, newLength)
+	middleware.SetPreferenceCookie(w, c.CookieCVLength, newLength)

 	// Return 204 No Content - frontend uses hx-swap="none" so response body is ignored
 	// The cookie is set and hyperscript handles the UI state toggle
@@ -49,13 +49,13 @@ func (h *CVHandler) ToggleIcons(w http.ResponseWriter, r *http.Request) {
 	currentIcons := prefs.CVIcons

 	// Toggle state
-	newIcons := constants.CVIconsHide
-	if currentIcons == constants.CVIconsHide {
-		newIcons = constants.CVIconsShow
+	newIcons := c.CVIconsHide
+	if currentIcons == c.CVIconsHide {
+		newIcons = c.CVIconsShow
 	}

 	// Save new state
-	middleware.SetPreferenceCookie(w, constants.CookieCVIcons, newIcons)
+	middleware.SetPreferenceCookie(w, c.CookieCVIcons, newIcons)

 	// Return 204 No Content - frontend uses hx-swap="none" so response body is ignored
 	// The cookie is set and hyperscript handles the UI state toggle
@@ -73,7 +73,7 @@ func (h *CVHandler) SwitchLanguage(w http.ResponseWriter, r *http.Request) {
 	}

 	// Save language preference
-	middleware.SetPreferenceCookie(w, constants.CookieCVLanguage, lang)
+	middleware.SetPreferenceCookie(w, c.CookieCVLanguage, lang)

 	// Prepare template data
 	data, err := h.prepareTemplateData(lang)
@@ -86,13 +86,13 @@ func (h *CVHandler) SwitchLanguage(w http.ResponseWriter, r *http.Request) {
 	prefs := middleware.GetPreferences(r)

 	// Add preferences to data
-	if prefs.CVLength == constants.CVLengthLong {
+	if prefs.CVLength == c.CVLengthLong {
 		data["CVLengthClass"] = "cv-long"
 	} else {
 		data["CVLengthClass"] = "cv-short"
 	}
-	data["ShowIcons"] = (prefs.CVIcons == constants.CVIconsShow)
-	data["ThemeClean"] = (prefs.CVTheme == constants.CVThemeClean)
+	data["ShowIcons"] = (prefs.CVIcons == c.CVIconsShow)
+	data["ThemeClean"] = (prefs.CVTheme == c.CVThemeClean)

 	// Render language-switch template with out-of-band swaps
 	tmpl, err := h.templates.Render("language-switch.html")
@@ -101,7 +101,7 @@ func (h *CVHandler) SwitchLanguage(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	if err := tmpl.Execute(w, data); err != nil {
 		HandleError(w, r, TemplateError(err, "language-switch.html"))
 		return
@@ -119,13 +119,13 @@ func (h *CVHandler) ToggleTheme(w http.ResponseWriter, r *http.Request) {
 	currentTheme := prefs.CVTheme

 	// Toggle state
-	newTheme := constants.CVThemeClean
-	if currentTheme == constants.CVThemeClean {
-		newTheme = constants.CVThemeDefault
+	newTheme := c.CVThemeClean
+	if currentTheme == c.CVThemeClean {
+		newTheme = c.CVThemeDefault
 	}

 	// Save new state
-	middleware.SetPreferenceCookie(w, constants.CookieCVTheme, newTheme)
+	middleware.SetPreferenceCookie(w, c.CookieCVTheme, newTheme)

 	// Return 204 No Content - frontend uses hx-swap="none" so response body is ignored
 	// The cookie is set and hyperscript handles the UI state toggle
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	"github.com/juanatsap/cv-site/internal/httputil"
 	"github.com/juanatsap/cv-site/internal/middleware"
 	"github.com/juanatsap/cv-site/internal/pdf"
@@ -70,7 +70,7 @@ func (h *CVHandler) Home(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	if err := tmpl.Execute(w, data); err != nil {
 		HandleError(w, r, TemplateError(err, "index.html"))
 		return
@@ -99,7 +99,7 @@ func (h *CVHandler) CVContent(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 	if err := tmpl.Execute(w, data); err != nil {
 		HandleError(w, r, TemplateError(err, "cv-content.html"))
 		return
@@ -127,7 +127,7 @@ func (h *CVHandler) DefaultCVShortcut(w http.ResponseWriter, r *http.Request) {
 	lang := strings.TrimSuffix(langWithExt, ".pdf")

 	// Validate language
-	if !constants.SupportedLanguages[lang] {
+	if !c.SupportedLanguages[lang] {
 		http.NotFound(w, r)
 		return
 	}
@@ -147,11 +147,11 @@ func (h *CVHandler) DefaultCVShortcut(w http.ResponseWriter, r *http.Request) {

 	// Prepare cookies for PDF generation (short, with_skills, light mode)
 	cookies := map[string]string{
-		constants.CookieCVLength:   constants.CVLengthShort,
-		constants.CookieCVIcons:    constants.CVIconsShow,
-		constants.CookieCVLanguage: lang,
-		constants.CookieCVTheme:    constants.CVThemeDefault, // with_skills = default theme
-		constants.CookieColorTheme: constants.ColorThemeLight, // Always light for PDFs
+		c.CookieCVLength:   c.CVLengthShort,
+		c.CookieCVIcons:    c.CVIconsShow,
+		c.CookieCVLanguage: lang,
+		c.CookieCVTheme:    c.CVThemeDefault, // with_skills = default theme
+		c.CookieColorTheme: c.ColorThemeLight, // Always light for PDFs
 	}

 	// Construct URL for PDF generation
@@ -170,9 +170,9 @@ func (h *CVHandler) DefaultCVShortcut(w http.ResponseWriter, r *http.Request) {
 	filename := filepath.Base(path) // cv-jamr-2025-en.pdf

 	// Set response headers with shortcut filename
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypePDF)
-	w.Header().Set(constants.HeaderContentDisposition, fmt.Sprintf("attachment; filename=%s", filename))
-	w.Header().Set(constants.HeaderContentLength, fmt.Sprintf("%d", len(pdfData)))
+	w.Header().Set(c.HeaderContentType, c.ContentTypePDF)
+	w.Header().Set(c.HeaderContentDisposition, fmt.Sprintf("attachment; filename=%s", filename))
+	w.Header().Set(c.HeaderContentLength, fmt.Sprintf("%d", len(pdfData)))

 	// Write PDF data
 	if _, err := w.Write(pdfData); err != nil {
@@ -7,7 +7,7 @@ import (
 	"strings"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	cvmodel "github.com/juanatsap/cv-site/internal/models/cv"
 	"github.com/juanatsap/cv-site/internal/pdf"
 )
@@ -38,21 +38,21 @@ func (h *CVHandler) ExportPDF(w http.ResponseWriter, r *http.Request) {

 	// Prepare cookies to set preferences
 	cookies := map[string]string{
-		constants.CookieCVLength:   req.Length,
-		constants.CookieCVIcons:    req.Icons,
-		constants.CookieCVLanguage: req.Lang,
+		c.CookieCVLength:   req.Length,
+		c.CookieCVIcons:    req.Icons,
+		c.CookieCVLanguage: req.Lang,
 	}

 	// Set theme cookie based on version parameter
-	if req.Version == constants.CVThemeClean {
-		cookies[constants.CookieCVTheme] = constants.CVThemeClean
+	if req.Version == c.CVThemeClean {
+		cookies[c.CookieCVTheme] = c.CVThemeClean
 	} else {
-		cookies[constants.CookieCVTheme] = constants.CVThemeDefault
+		cookies[c.CookieCVTheme] = c.CVThemeDefault
 	}

 	// CRITICAL: ALWAYS force light mode for PDF generation (print-friendly)
 	// This ensures PDFs are NEVER generated in dark mode, regardless of user's preference
-	cookies[constants.CookieColorTheme] = constants.ColorThemeLight
+	cookies[c.CookieColorTheme] = c.ColorThemeLight

 	// Construct URL for PDF generation (navigate to home page)
 	targetURL := fmt.Sprintf("http://%s/?lang=%s", h.serverAddr, req.Lang)
@@ -111,9 +111,9 @@ func (h *CVHandler) ExportPDF(w http.ResponseWriter, r *http.Request) {
 	}

 	// Set response headers
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypePDF)
-	w.Header().Set(constants.HeaderContentDisposition, fmt.Sprintf("attachment; filename=%s", filename))
-	w.Header().Set(constants.HeaderContentLength, fmt.Sprintf("%d", len(pdfData)))
+	w.Header().Set(c.HeaderContentType, c.ContentTypePDF)
+	w.Header().Set(c.HeaderContentDisposition, fmt.Sprintf("attachment; filename=%s", filename))
+	w.Header().Set(c.HeaderContentLength, fmt.Sprintf("%d", len(pdfData)))

 	// Write PDF data
 	if _, err := w.Write(pdfData); err != nil {
@@ -11,7 +11,7 @@ import (
 	"text/template"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 	"github.com/juanatsap/cv-site/internal/httputil"
 )

@@ -36,7 +36,7 @@ var textBrowsers = []string{

 // isTextBrowser detects if the request comes from a text-based browser or CLI tool
 func isTextBrowser(r *http.Request) bool {
-	ua := strings.ToLower(r.Header.Get("User-Agent"))
+	ua := strings.ToLower(r.Header.Get(c.HeaderUserAgent))

 	// Check for known text browsers
 	for _, browser := range textBrowsers {
@@ -46,8 +46,8 @@ func isTextBrowser(r *http.Request) bool {
 	}

 	// Check Accept header - if client prefers text/plain
-	accept := r.Header.Get("Accept")
-	return strings.HasPrefix(accept, "text/plain")
+	accept := r.Header.Get(c.HeaderAccept)
+	return strings.HasPrefix(accept, c.ContentTypePlainSimple)
 }

 // ==============================================================================
@@ -150,8 +150,8 @@ func (h *CVHandler) PlainText(w http.ResponseWriter, r *http.Request) {
 	text := cleanPlainText(buf.String())

 	// Set response headers
-	w.Header().Set(constants.HeaderContentType, constants.ContentTypePlainText)
-	w.Header().Set(constants.HeaderXContentTypeOpts, constants.NoSniff)
+	w.Header().Set(c.HeaderContentType, c.ContentTypePlainText)
+	w.Header().Set(c.HeaderXContentTypeOpts, c.NoSniff)

 	// Check if download is requested
 	if r.URL.Query().Get("download") == "true" {
@@ -6,7 +6,7 @@ import (
 	"log"
 	"net/http"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // ErrorResponse represents a structured error response
@@ -64,12 +64,12 @@ func HandleError(w http.ResponseWriter, r *http.Request, err error) {

 	// Determine response based on Accept header
 	accept := r.Header.Get("Accept")
-	isJSON := accept == constants.ContentTypeJSON
-	isHTMX := r.Header.Get(constants.HeaderHXRequest) != ""
+	isJSON := accept == c.ContentTypeJSON
+	isHTMX := r.Header.Get(c.HeaderHXRequest) != ""

 	if isJSON {
 		// JSON response
-		w.Header().Set(constants.HeaderContentType, constants.ContentTypeJSON)
+		w.Header().Set(c.HeaderContentType, c.ContentTypeJSON)
 		w.WriteHeader(appErr.StatusCode)

 		response := ErrorResponse{
@@ -90,7 +90,7 @@ func HandleError(w http.ResponseWriter, r *http.Request, err error) {

 	if isHTMX {
 		// HTMX response - return simple HTML fragment
-		w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTMLFragment)
+		w.Header().Set(c.HeaderContentType, c.ContentTypeHTMLFragment)
 		w.WriteHeader(appErr.StatusCode)

 		message := appErr.Message
@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // HealthResponse represents the health check response
@@ -36,7 +36,7 @@ func (h *HealthHandler) Check(w http.ResponseWriter, r *http.Request) {
 		Version:   h.version,
 	}

-	w.Header().Set(constants.HeaderContentType, constants.ContentTypeJSON)
+	w.Header().Set(c.HeaderContentType, c.ContentTypeJSON)
 	w.WriteHeader(http.StatusOK)
 	if err := json.NewEncoder(w).Encode(response); err != nil {
 		log.Printf("ERROR encoding health check response: %v", err)
@@ -4,15 +4,15 @@ package httputil
 import (
 	"net/http"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // Lang extracts and validates the language from query params.
 // Returns the language or default if invalid/missing.
 func Lang(r *http.Request) string {
 	lang := r.URL.Query().Get("lang")
-	if lang == "" || !constants.SupportedLanguages[lang] {
-		return constants.LangDefault
+	if lang == "" || !c.SupportedLanguages[lang] {
+		return c.LangDefault
 	}
 	return lang
 }
@@ -22,9 +22,9 @@ func Lang(r *http.Request) string {
 func LangOrError(r *http.Request) (string, bool) {
 	lang := r.URL.Query().Get("lang")
 	if lang == "" {
-		return constants.LangDefault, true
+		return c.LangDefault, true
 	}
-	if !constants.SupportedLanguages[lang] {
+	if !c.SupportedLanguages[lang] {
 		return "", false
 	}
 	return lang, true
@@ -2,12 +2,15 @@ package httputil

 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
+
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // JSON writes a JSON response with the given status code.
 func JSON(w http.ResponseWriter, status int, data interface{}) error {
-	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set(c.HeaderContentType, c.ContentTypeJSON)
 	w.WriteHeader(status)
 	return json.NewEncoder(w).Encode(data)
 }
@@ -19,13 +22,13 @@ func JSONOk(w http.ResponseWriter, data interface{}) error {

 // JSONCached writes a JSON response with caching headers.
 func JSONCached(w http.ResponseWriter, data interface{}, maxAge int) error {
-	w.Header().Set("Cache-Control", "public, max-age="+string(rune(maxAge)))
+	w.Header().Set(c.HeaderCacheControl, fmt.Sprintf("public, max-age=%d", maxAge))
 	return JSONOk(w, data)
 }

 // HTML sets HTML content type header.
 func HTML(w http.ResponseWriter) {
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 }

 // NoContent sends a 204 No Content response.
@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"strings"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 const (
@@ -23,7 +23,7 @@ const (
 func BrowserOnly(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Check 1: User-Agent validation
-		userAgent := r.Header.Get(constants.HeaderUserAgent)
+		userAgent := r.Header.Get(c.HeaderUserAgent)
 		if userAgent == "" || isBotUserAgent(userAgent) {
 			log.Printf("SECURITY: Blocked non-browser User-Agent from IP %s: %s", getRequestIP(r), userAgent)
 			http.Error(w, "Forbidden: Browser access only", http.StatusForbidden)
@@ -31,8 +31,8 @@ func BrowserOnly(next http.Handler) http.Handler {
 		}

 		// Check 2: Require Referer or Origin header
-		referer := r.Header.Get(constants.HeaderReferer)
-		origin := r.Header.Get(constants.HeaderOrigin)
+		referer := r.Header.Get(c.HeaderReferer)
+		origin := r.Header.Get(c.HeaderOrigin)

 		if referer == "" && origin == "" {
 			log.Printf("SECURITY: Blocked request without Referer/Origin from IP %s", getRequestIP(r))
@@ -43,7 +43,7 @@ func BrowserOnly(next http.Handler) http.Handler {
 		// Check 3: Custom header validation (set by JavaScript)
 		// For HTMX requests, check HX-Request header
 		// For fetch/XMLHttpRequest, check X-Requested-With header
-		hasHTMXHeader := r.Header.Get(constants.HeaderHXRequest) == "true"
+		hasHTMXHeader := r.Header.Get(c.HeaderHXRequest) == "true"
 		hasXMLHTTPHeader := r.Header.Get(browserHeaderName) == browserHeaderValue
 		hasCustomBrowserHeader := r.Header.Get("X-Browser-Request") == "true"

@@ -98,7 +98,7 @@ func isBotUserAgent(ua string) bool {
 // getRequestIP extracts the client IP from the request
 func getRequestIP(r *http.Request) string {
 	// Try X-Forwarded-For first (for proxies/load balancers)
-	ip := r.Header.Get(constants.HeaderXForwardedFor)
+	ip := r.Header.Get(c.HeaderXForwardedFor)
 	if ip != "" {
 		// Take first IP if multiple
 		ips := strings.Split(ip, ",")
@@ -106,7 +106,7 @@ func getRequestIP(r *http.Request) string {
 	}

 	// Try X-Real-IP
-	ip = r.Header.Get(constants.HeaderXRealIP)
+	ip = r.Header.Get(c.HeaderXRealIP)
 	if ip != "" {
 		return ip
 	}
@@ -6,7 +6,7 @@ import (
 	"sync"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // contactRateLimitEntry tracks rate limiting for contact form per IP
@@ -39,9 +39,9 @@ func NewContactRateLimiter() *ContactRateLimiter {
 func (rl *ContactRateLimiter) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Get client IP (handle X-Forwarded-For for proxies)
-		ip := r.Header.Get(constants.HeaderXForwardedFor)
+		ip := r.Header.Get(c.HeaderXForwardedFor)
 		if ip == "" {
-			ip = r.Header.Get(constants.HeaderXRealIP)
+			ip = r.Header.Get(c.HeaderXRealIP)
 		}
 		if ip == "" {
 			ip = strings.Split(r.RemoteAddr, ":")[0]
@@ -54,18 +54,18 @@ func (rl *ContactRateLimiter) Middleware(next http.Handler) http.Handler {

 		if !rl.allow(ip) {
 			// Check if HTMX request
-			isHTMX := r.Header.Get(constants.HeaderHXRequest) != ""
+			isHTMX := r.Header.Get(c.HeaderHXRequest) != ""

 			if isHTMX {
 				// Return HTMX-friendly error
-				w.Header().Set(constants.HeaderContentType, constants.ContentTypeHTML)
+				w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 				w.WriteHeader(http.StatusTooManyRequests)
 				_, _ = w.Write([]byte(`<div class="alert alert-error">
 					<h3>Too Many Requests</h3>
 					<p>You've submitted too many contact forms. Please wait an hour before trying again.</p>
 				</div>`))
 			} else {
-				w.Header().Set(constants.HeaderRetryAfter, "3600") // 1 hour
+				w.Header().Set(c.HeaderRetryAfter, "3600") // 1 hour
 				http.Error(w, "Too many contact form submissions. Please try again in an hour.", http.StatusTooManyRequests)
 			}
 			return
@@ -8,6 +8,8 @@ import (
 	"net/http"
 	"sync"
 	"time"
+
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 const (
@@ -44,18 +46,18 @@ func NewCSRFProtection() *CSRFProtection {
 // Middleware provides CSRF protection for state-changing operations
 // GET requests: Generate and set CSRF token
 // POST/PUT/DELETE: Validate CSRF token
-func (c *CSRFProtection) Middleware(next http.Handler) http.Handler {
+func (csrf *CSRFProtection) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Only validate on state-changing methods
 		if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete {
-			if !c.validateToken(r) {
+			if !csrf.validateToken(r) {
 				log.Printf("SECURITY: CSRF validation failed from IP %s", getClientIP(r))

 				// Check if HTMX request
-				isHTMX := r.Header.Get("HX-Request") != ""
+				isHTMX := r.Header.Get(c.HeaderHXRequest) != ""

 				if isHTMX {
-					w.Header().Set("Content-Type", "text/html; charset=utf-8")
+					w.Header().Set(c.HeaderContentType, c.ContentTypeHTML)
 					w.WriteHeader(http.StatusForbidden)
 					_, _ = w.Write([]byte(`<div class="alert alert-error">
 						<h3>Security Error</h3>
@@ -73,7 +75,7 @@ func (c *CSRFProtection) Middleware(next http.Handler) http.Handler {
 }

 // generateToken creates a new CSRF token
-func (c *CSRFProtection) generateToken() (string, error) {
+func (csrf *CSRFProtection) generateToken() (string, error) {
 	bytes := make([]byte, csrfTokenLength)
 	if _, err := rand.Read(bytes); err != nil {
 		return "", err
@@ -82,26 +84,26 @@ func (c *CSRFProtection) generateToken() (string, error) {
 	token := base64.URLEncoding.EncodeToString(bytes)

 	// Store token with expiration
-	c.mu.Lock()
-	c.tokens[token] = &csrfTokenEntry{
+	csrf.mu.Lock()
+	csrf.tokens[token] = &csrfTokenEntry{
 		token:     token,
 		expiresAt: time.Now().Add(csrfTokenTTL),
 	}
-	c.mu.Unlock()
+	csrf.mu.Unlock()

 	return token, nil
 }

 // GetToken retrieves or generates a CSRF token for the request
 // This should be called when rendering forms
-func (c *CSRFProtection) GetToken(w http.ResponseWriter, r *http.Request) (string, error) {
+func (csrf *CSRFProtection) GetToken(w http.ResponseWriter, r *http.Request) (string, error) {
 	// Check if token exists in cookie
 	cookie, err := r.Cookie(csrfCookieName)
 	if err == nil && cookie.Value != "" {
 		// Validate existing token
-		c.mu.RLock()
-		entry, exists := c.tokens[cookie.Value]
-		c.mu.RUnlock()
+		csrf.mu.RLock()
+		entry, exists := csrf.tokens[cookie.Value]
+		csrf.mu.RUnlock()

 		if exists && time.Now().Before(entry.expiresAt) {
 			// Token is valid, return it
@@ -110,7 +112,7 @@ func (c *CSRFProtection) GetToken(w http.ResponseWriter, r *http.Request) (strin
 	}

 	// Generate new token
-	token, err := c.generateToken()
+	token, err := csrf.generateToken()
 	if err != nil {
 		return "", fmt.Errorf("failed to generate CSRF token: %w", err)
 	}
@@ -130,7 +132,7 @@ func (c *CSRFProtection) GetToken(w http.ResponseWriter, r *http.Request) (strin
 }

 // validateToken validates the CSRF token from the request
-func (c *CSRFProtection) validateToken(r *http.Request) bool {
+func (csrf *CSRFProtection) validateToken(r *http.Request) bool {
 	// Get token from form
 	var formToken string

@@ -163,9 +165,9 @@ func (c *CSRFProtection) validateToken(r *http.Request) bool {
 	}

 	// Validate token exists and is not expired
-	c.mu.RLock()
-	entry, exists := c.tokens[formToken]
-	c.mu.RUnlock()
+	csrf.mu.RLock()
+	entry, exists := csrf.tokens[formToken]
+	csrf.mu.RUnlock()

 	if !exists {
 		log.Printf("CSRF: Token not found in store")
@@ -181,19 +183,19 @@ func (c *CSRFProtection) validateToken(r *http.Request) bool {
 }

 // cleanup removes expired tokens periodically
-func (c *CSRFProtection) cleanup() {
+func (csrf *CSRFProtection) cleanup() {
 	ticker := time.NewTicker(1 * time.Hour)
 	defer ticker.Stop()

 	for range ticker.C {
-		c.mu.Lock()
+		csrf.mu.Lock()
 		now := time.Now()
-		for token, entry := range c.tokens {
+		for token, entry := range csrf.tokens {
 			if now.After(entry.expiresAt) {
-				delete(c.tokens, token)
+				delete(csrf.tokens, token)
 			}
 		}
-		c.mu.Unlock()
+		csrf.mu.Unlock()
 	}
 }

@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"os"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // contextKey is a private type for context keys to avoid collisions
@@ -30,22 +30,22 @@ type Preferences struct {
 func PreferencesMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		prefs := &Preferences{
-			CVLength:   getPreferenceCookie(r, constants.CookieCVLength, constants.CVLengthShort),
-			CVIcons:    getPreferenceCookie(r, constants.CookieCVIcons, constants.CVIconsShow),
-			CVLanguage: getPreferenceCookie(r, constants.CookieCVLanguage, constants.LangEnglish),
-			CVTheme:    getPreferenceCookie(r, constants.CookieCVTheme, constants.CVThemeDefault),
-			ColorTheme: getPreferenceCookie(r, constants.CookieColorTheme, constants.ColorThemeLight),
+			CVLength:   getPreferenceCookie(r, c.CookieCVLength, c.CVLengthShort),
+			CVIcons:    getPreferenceCookie(r, c.CookieCVIcons, c.CVIconsShow),
+			CVLanguage: getPreferenceCookie(r, c.CookieCVLanguage, c.LangEnglish),
+			CVTheme:    getPreferenceCookie(r, c.CookieCVTheme, c.CVThemeDefault),
+			ColorTheme: getPreferenceCookie(r, c.CookieColorTheme, c.ColorThemeLight),
 		}

 		// Migrate old preference values (one-time auto-migration)
 		if prefs.CVLength == "extended" {
-			prefs.CVLength = constants.CVLengthLong
+			prefs.CVLength = c.CVLengthLong
 		}
 		switch prefs.CVIcons {
 		case "true":
-			prefs.CVIcons = constants.CVIconsShow
+			prefs.CVIcons = c.CVIconsShow
 		case "false":
-			prefs.CVIcons = constants.CVIconsHide
+			prefs.CVIcons = c.CVIconsHide
 		}

 		// Store preferences in context
@@ -60,11 +60,11 @@ func GetPreferences(r *http.Request) *Preferences {
 	if !ok {
 		// Return default preferences if not found
 		return &Preferences{
-			CVLength:   constants.CVLengthShort,
-			CVIcons:    constants.CVIconsShow,
-			CVLanguage: constants.LangEnglish,
-			CVTheme:    constants.CVThemeDefault,
-			ColorTheme: constants.ColorThemeLight,
+			CVLength:   c.CVLengthShort,
+			CVIcons:    c.CVIconsShow,
+			CVLanguage: c.LangEnglish,
+			CVTheme:    c.CVThemeDefault,
+			ColorTheme: c.ColorThemeLight,
 		}
 	}
 	return prefs
@@ -102,42 +102,42 @@ func GetColorTheme(r *http.Request) string {

 // IsLongCV returns true if the user prefers long CV format
 func IsLongCV(r *http.Request) bool {
-	return GetCVLength(r) == constants.CVLengthLong
+	return GetCVLength(r) == c.CVLengthLong
 }

 // IsShortCV returns true if the user prefers short CV format
 func IsShortCV(r *http.Request) bool {
-	return GetCVLength(r) == constants.CVLengthShort
+	return GetCVLength(r) == c.CVLengthShort
 }

 // ShowIcons returns true if icons should be visible
 func ShowIcons(r *http.Request) bool {
-	return GetCVIcons(r) == constants.CVIconsShow
+	return GetCVIcons(r) == c.CVIconsShow
 }

 // HideIcons returns true if icons should be hidden
 func HideIcons(r *http.Request) bool {
-	return GetCVIcons(r) == constants.CVIconsHide
+	return GetCVIcons(r) == c.CVIconsHide
 }

 // IsCleanTheme returns true if clean theme is selected
 func IsCleanTheme(r *http.Request) bool {
-	return GetCVTheme(r) == constants.CVThemeClean
+	return GetCVTheme(r) == c.CVThemeClean
 }

 // IsDefaultTheme returns true if default theme is selected
 func IsDefaultTheme(r *http.Request) bool {
-	return GetCVTheme(r) == constants.CVThemeDefault
+	return GetCVTheme(r) == c.CVThemeDefault
 }

 // IsDarkMode returns true if dark mode is enabled
 func IsDarkMode(r *http.Request) bool {
-	return GetColorTheme(r) == constants.ColorThemeDark
+	return GetColorTheme(r) == c.ColorThemeDark
 }

 // IsLightMode returns true if light mode is enabled
 func IsLightMode(r *http.Request) bool {
-	return GetColorTheme(r) == constants.ColorThemeLight
+	return GetColorTheme(r) == c.ColorThemeLight
 }

 // SetPreferenceCookie sets a preference cookie (1 year expiry)
@@ -145,8 +145,8 @@ func SetPreferenceCookie(w http.ResponseWriter, name string, value string) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     name,
 		Value:    value,
-		Path:     constants.CookiePath,
-		MaxAge:   constants.CookieMaxAge,
+		Path:     c.CookiePath,
+		MaxAge:   c.CookieMaxAge,
 		HttpOnly: true,
 		SameSite: http.SameSiteStrictMode,
 		Secure:   isProductionMode(), // Secure in production with HTTPS
@@ -155,8 +155,8 @@ func SetPreferenceCookie(w http.ResponseWriter, name string, value string) {

 // isProductionMode checks if the application is running in production
 func isProductionMode() bool {
-	env := os.Getenv(constants.EnvVarGOEnv)
-	return env == constants.EnvProduction || env == "prod"
+	env := os.Getenv(c.EnvVarGOEnv)
+	return env == c.EnvProduction || env == "prod"
 }

 // getPreferenceCookie gets a preference cookie value, returns default if not found
@@ -7,26 +7,26 @@ import (
 	"sync"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // SecurityHeaders adds production-grade security headers to responses
 func SecurityHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Prevent clickjacking
-		w.Header().Set(constants.HeaderXFrameOptions, constants.FrameOptionsSameOrigin)
+		w.Header().Set(c.HeaderXFrameOptions, c.FrameOptionsSameOrigin)

 		// Prevent MIME type sniffing
-		w.Header().Set(constants.HeaderXContentTypeOpts, constants.NoSniff)
+		w.Header().Set(c.HeaderXContentTypeOpts, c.NoSniff)

 		// XSS Protection (legacy but still useful for older browsers)
-		w.Header().Set(constants.HeaderXXSSProtection, constants.XSSProtection)
+		w.Header().Set(c.HeaderXXSSProtection, c.XSSProtection)

 		// Referrer policy - strict privacy
-		w.Header().Set(constants.HeaderReferrerPolicy, constants.ReferrerPolicy)
+		w.Header().Set(c.HeaderReferrerPolicy, c.ReferrerPolicy)

 		// Permissions Policy - disable unnecessary features
-		w.Header().Set(constants.HeaderPermissionsPolicy,
+		w.Header().Set(c.HeaderPermissionsPolicy,
 			"geolocation=(), microphone=(), camera=(), payment=(), usb=(), "+
 				"magnetometer=(), gyroscope=(), accelerometer=()")

@@ -40,12 +40,12 @@ func SecurityHeaders(next http.Handler) http.Handler {
 			"frame-ancestors 'self'; " +
 			"base-uri 'self'; " +
 			"form-action 'self'"
-		w.Header().Set(constants.HeaderCSP, csp)
+		w.Header().Set(c.HeaderCSP, csp)

 		// HSTS - only in production with HTTPS
-		if os.Getenv(constants.EnvVarGOEnv) == constants.EnvProduction {
+		if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
 			// 1 year max-age, include subdomains
-			w.Header().Set(constants.HeaderHSTS, constants.HSTSMaxAge)
+			w.Header().Set(c.HeaderHSTS, c.HSTSMaxAge)
 		}

 		next.ServeHTTP(w, r)
@@ -76,7 +76,7 @@ func OriginChecker(next http.Handler) http.Handler {
 		}

 		// Check Origin header (for CORS requests)
-		origin := r.Header.Get(constants.HeaderOrigin)
+		origin := r.Header.Get(c.HeaderOrigin)
 		if origin != "" {
 			if !isAllowedOrigin(origin, allowedOrigins) {
 				http.Error(w, "Forbidden: External access not allowed", http.StatusForbidden)
@@ -85,7 +85,7 @@ func OriginChecker(next http.Handler) http.Handler {
 		}

 		// Check Referer header (for direct requests)
-		referer := r.Header.Get(constants.HeaderReferer)
+		referer := r.Header.Get(c.HeaderReferer)
 		if referer != "" {
 			if !isAllowedOrigin(referer, allowedOrigins) {
 				http.Error(w, "Forbidden: External access not allowed", http.StatusForbidden)
@@ -98,7 +98,7 @@ func OriginChecker(next http.Handler) http.Handler {
 		if origin == "" && referer == "" {
 			// For production, you might want to be stricter here
 			// For now, allow it (users can bookmark /export/pdf directly)
-			if os.Getenv(constants.EnvVarGOEnv) == constants.EnvProduction && r.URL.Path == constants.RouteExportPDF {
+			if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction && r.URL.Path == c.RouteExportPDF {
 				// In production, require at least a referer for PDF endpoint
 				http.Error(w, "Forbidden: Direct access not allowed", http.StatusForbidden)
 				return
@@ -163,16 +163,16 @@ func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
 func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Get client IP (handle X-Forwarded-For for proxies)
-		ip := r.Header.Get(constants.HeaderXForwardedFor)
+		ip := r.Header.Get(c.HeaderXForwardedFor)
 		if ip == "" {
-			ip = r.Header.Get(constants.HeaderXRealIP)
+			ip = r.Header.Get(c.HeaderXRealIP)
 		}
 		if ip == "" {
 			ip = strings.Split(r.RemoteAddr, ":")[0]
 		}

 		if !rl.allow(ip) {
-			w.Header().Set(constants.HeaderRetryAfter, "60")
+			w.Header().Set(c.HeaderRetryAfter, "60")
 			http.Error(w, "Rate limit exceeded. Please try again later.", http.StatusTooManyRequests)
 			return
 		}
@@ -227,12 +227,12 @@ func (rl *RateLimiter) cleanup() {
 // 1 hour in development, 1 day in production
 func CacheControl(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		cacheValue := constants.CachePublic1Hour
-		if os.Getenv(constants.EnvVarGOEnv) == constants.EnvProduction {
-			cacheValue = constants.CachePublic1Day
+		cacheValue := c.CachePublic1Hour
+		if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
+			cacheValue = c.CachePublic1Day
 		}

-		w.Header().Set(constants.HeaderCacheControl, cacheValue)
+		w.Header().Set(c.HeaderCacheControl, cacheValue)
 		next.ServeHTTP(w, r)
 	})
 }
@@ -243,12 +243,12 @@ func DynamicCacheControl(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// For dynamic HTML pages: short cache, must revalidate
 		// This improves performance while ensuring fresh content
-		if os.Getenv(constants.EnvVarGOEnv) == constants.EnvProduction {
+		if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
 			// Production: 5 minutes cache, but must revalidate
-			w.Header().Set(constants.HeaderCacheControl, constants.CachePublic5Min)
+			w.Header().Set(c.HeaderCacheControl, c.CachePublic5Min)
 		} else {
 			// Development: no cache for easier testing
-			w.Header().Set(constants.HeaderCacheControl, constants.CacheNoStore)
+			w.Header().Set(c.HeaderCacheControl, c.CacheNoStore)
 		}
 		next.ServeHTTP(w, r)
 	})
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"time"

-	"github.com/juanatsap/cv-site/internal/constants"
+	c "github.com/juanatsap/cv-site/internal/constants"
 )

 // SecurityEvent represents a security-related event
@@ -57,7 +57,7 @@ func LogSecurityEvent(eventType string, r *http.Request, details string) {
 		EventType: eventType,
 		Severity:  severity,
 		IP:        getClientIP(r),
-		UserAgent: r.Header.Get(constants.HeaderUserAgent),
+		UserAgent: r.Header.Get(c.HeaderUserAgent),
 		Method:    r.Method,
 		Path:      r.URL.Path,
 		Details:   details,
@@ -74,7 +74,7 @@ func LogSecurityEvent(eventType string, r *http.Request, details string) {
 	log.Printf("[SECURITY] %s", eventJSON)

 	// Also log to separate security log file in production
-	if os.Getenv(constants.EnvVarGOEnv) == constants.EnvProduction {
+	if os.Getenv(c.EnvVarGOEnv) == c.EnvProduction {
 		logToSecurityFile(eventJSON)
 	}
 }
@@ -99,14 +99,14 @@ func getSeverity(eventType string) string {
 // getClientIP extracts the real client IP from request headers
 func getClientIP(r *http.Request) string {
 	// Check X-Forwarded-For header (proxy/load balancer)
-	if xff := r.Header.Get(constants.HeaderXForwardedFor); xff != "" {
+	if xff := r.Header.Get(c.HeaderXForwardedFor); xff != "" {
 		// Take first IP from comma-separated list
 		ips := strings.Split(xff, ",")
 		return strings.TrimSpace(ips[0])
 	}

 	// Check X-Real-IP header
-	if xri := r.Header.Get(constants.HeaderXRealIP); xri != "" {
+	if xri := r.Header.Get(c.HeaderXRealIP); xri != "" {
 		return xri
 	}

@@ -181,7 +181,7 @@ func SecurityLogger(next http.Handler) http.Handler {
 				EventType: "REQUEST",
 				Severity:  SeverityInfo,
 				IP:        getClientIP(r),
-				UserAgent: r.Header.Get(constants.HeaderUserAgent),
+				UserAgent: r.Header.Get(c.HeaderUserAgent),
 				Method:    r.Method,
 				Path:      r.URL.Path,
 				Details:   string(detailsJSON),
@@ -203,7 +203,7 @@ func SecurityLogger(next http.Handler) http.Handler {
 				EventType: "HTTP_ERROR",
 				Severity:  severity,
 				IP:        getClientIP(r),
-				UserAgent: r.Header.Get(constants.HeaderUserAgent),
+				UserAgent: r.Header.Get(c.HeaderUserAgent),
 				Method:    r.Method,
 				Path:      r.URL.Path,
 				Details:   http.StatusText(wrapped.status),