From 652eea694e2f4d8db7d9c5569fc940651237bc48 Mon Sep 17 00:00:00 2001
From: Vic Demuzere <vic@demuzere.be>
Date: Fri, 24 Sep 2021 16:59:06 +0200
Subject: [PATCH] Add security HTTP headers

Sadly, the Vue web interface needs unsafe-inline for both stylesheets
and scripts, making the CSP header a bit useless.
---
 main.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/main.go b/main.go
index 237813c..decee81 100644
--- a/main.go
+++ b/main.go
@@ -86,9 +86,20 @@ func assetDelivery(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set("Content-Type", mime.TypeByExtension(ext))
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Write(assetData)
 }
 
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+var cspHeader = strings.Join([]string{
+	"default-src 'none'",
+	"connect-src 'self'",
+	"font-src 'self'",
+	"img-src 'self'",
+	"script-src 'self' 'unsafe-inline'",
+	"style-src 'self' 'unsafe-inline'",
+}, ";")
+
 func handleIndex(w http.ResponseWriter, r *http.Request) {
 	indexTpl, err := assets.ReadFile("frontend/index.html")
 	if err != nil {
@@ -102,6 +113,12 @@ func handleIndex(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	w.Header().Set("Referrer-Policy", "no-referrer")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("X-Xss-Protection", "1; mode=block")
+	w.Header().Set("Content-Security-Policy", cspHeader)
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+
 	if err = tpl.Execute(w, struct {
 		Vars map[string]string
 	}{