mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 21:39:54 +02:00
Adds CSP middleware to the global middleware chain as a browser-level defense against XSS: script-src 'self', object-src 'none', frame-ancestors 'none', base-uri 'self', form-action 'self'. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
21 lines
531 B
Go
21 lines
531 B
Go
package middleware
|
|
|
|
import "net/http"
|
|
|
|
const cspHeader = "default-src 'self'; " +
|
|
"script-src 'self'; " +
|
|
"style-src 'self' 'unsafe-inline'; " +
|
|
"img-src 'self' https: data:; " +
|
|
"connect-src 'self' wss:; " +
|
|
"frame-ancestors 'none'; " +
|
|
"object-src 'none'; " +
|
|
"base-uri 'self'; " +
|
|
"form-action 'self'"
|
|
|
|
func ContentSecurityPolicy(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Security-Policy", cspHeader)
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|