tech/tanabata
1
1
Fork 0
Code Pull Requests Actions Releases Activity

fix(backend): add baseline security response headers

Browse Source 
Set X-Content-Type-Options: nosniff (so served file bytes are not MIME
sniffed), X-Frame-Options: DENY, and Referrer-Policy: no-referrer on all
responses via middleware.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Masahiko AMANO
2026-06-10 14:13:56 +03:00
parent 591b3d2fe3
commit 40c91cec55
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/handler/router.go
+14 -1
View File
@@ -6,6 +6,19 @@ import (
"github.com/gin-gonic/gin"
)
// securityHeaders sets conservative response headers on every response: prevent
// MIME sniffing of served file content, forbid framing, and suppress the
// Referer header on outbound navigations.
func securityHeaders() gin.HandlerFunc {
return func(c *gin.Context) {
h := c.Writer.Header()
h.Set("X-Content-Type-Options", "nosniff")
h.Set("X-Frame-Options", "DENY")
h.Set("Referrer-Policy", "no-referrer")
c.Next()
}
}
// NewRouter builds and returns a configured Gin engine.
func NewRouter(
auth *AuthMiddleware,
@@ -19,7 +32,7 @@ func NewRouter(
auditHandler *AuditHandler,
) *gin.Engine {
r := gin.New()
r.Use(gin.Logger(), gin.Recovery())
r.Use(gin.Logger(), gin.Recovery(), securityHeaders())
// Health check — no auth required.
r.GET("/health", func(c *gin.Context) {