fix(security): add Content-Security-Policy response header (#822)

Adds CSP middleware to the global middleware chain as a browser-level defense against XSS: script-src 'self', object-src 'none', frame-ancestors 'none', base-uri 'self', form-action 'self'. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-17 11:48:42 +02:00 · 2026-04-13 12:53:39 +08:00
parent 95bfd7dd96
commit e20c507dcc
3 changed files with 57 additions and 0 deletions
--- a/server/cmd/server/router.go
+++ b/server/cmd/server/router.go
@@ -78,6 +78,7 @@ func NewRouter(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus) chi.Route
 	r.Use(chimw.RequestID)
 	r.Use(middleware.RequestLogger)
 	r.Use(chimw.Recoverer)
+	r.Use(middleware.ContentSecurityPolicy)
 	origins := allowedOrigins()

 	// Share allowed origins with WebSocket origin checker.
--- a/server/internal/middleware/csp.go
+++ b/server/internal/middleware/csp.go
@@ -0,0 +1,20 @@
+package middleware
+
+import "net/http"
+
+const cspHeader = "default-src 'self'; " +
+	"script-src 'self'; " +
+	"style-src 'self' 'unsafe-inline'; " +
+	"img-src 'self' https: data:; " +
+	"connect-src 'self' wss:; " +
+	"frame-ancestors 'none'; " +
+	"object-src 'none'; " +
+	"base-uri 'self'; " +
+	"form-action 'self'"
+
+func ContentSecurityPolicy(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Security-Policy", cspHeader)
+		next.ServeHTTP(w, r)
+	})
+}
--- a/server/internal/middleware/csp_test.go
+++ b/server/internal/middleware/csp_test.go
@@ -0,0 +1,36 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestContentSecurityPolicy(t *testing.T) {
+	handler := ContentSecurityPolicy(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	csp := rec.Header().Get("Content-Security-Policy")
+	if csp == "" {
+		t.Fatal("Content-Security-Policy header is missing")
+	}
+
+	required := []string{
+		"script-src 'self'",
+		"object-src 'none'",
+		"frame-ancestors 'none'",
+		"base-uri 'self'",
+		"form-action 'self'",
+	}
+	for _, directive := range required {
+		if !strings.Contains(csp, directive) {
+			t.Errorf("CSP missing directive %q; got: %s", directive, csp)
+		}
+	}
+}