securityheaders.go at main · shindakun.net/bskyoauth

shindakun.net / bskyoauth
Vibe-guided bskyoauth and custom repo example code in Golang 🤖 probably not safe to use in prod
bskyoauth / securityheaders.go
at main 2.2 kB view raw
 1package bskyoauth
 2
 3import (
 4	"net/http"
 5
 6	internalhttp "github.com/shindakun/bskyoauth/internal/http"
 7)
 8
 9// SecurityHeadersOptions allows customization of security headers.
10// Re-exported from internal/http for backward compatibility.
11type SecurityHeadersOptions = internalhttp.SecurityHeadersOptions
12
13// SecurityHeadersMiddleware returns middleware that adds security headers to responses.
14// It automatically detects localhost from the HTTP request and relaxes the CSP policy
15// for development while maintaining strict security for production.
16//
17// Default CSP includes Bluesky domains in connect-src and form-action to enable:
18//   - HTML forms to POST directly to Bluesky API endpoints
19//   - Client-side JavaScript to make API calls to Bluesky servers
20//
21// Localhost detection checks r.Host for:
22//   - localhost
23//   - 127.0.0.1
24//   - [::1]
25//   - 0.0.0.0
26//
27// HTTPS detection checks:
28//   - r.TLS != nil (direct HTTPS)
29//   - X-Forwarded-Proto: https (reverse proxy)
30//
31// Headers applied:
32//   - Content-Security-Policy (relaxed for localhost, strict for production)
33//   - X-Frame-Options: DENY
34//   - X-Content-Type-Options: nosniff
35//   - X-XSS-Protection: 1; mode=block
36//   - Referrer-Policy: strict-origin-when-cross-origin
37//   - Strict-Transport-Security (HTTPS production only, not localhost)
38//
39// Usage:
40//
41//	mux := http.NewServeMux()
42//	// ... set up handlers ...
43//	handler := bskyoauth.SecurityHeadersMiddleware()(mux)
44//	http.ListenAndServe(":8080", handler)
45func SecurityHeadersMiddleware() func(http.Handler) http.Handler {
46	return internalhttp.SecurityHeadersMiddleware()
47}
48
49// SecurityHeadersMiddlewareWithOptions returns middleware with custom security headers.
50// Allows full customization of CSP policies and other security headers.
51//
52// Usage:
53//
54//	opts := &bskyoauth.SecurityHeadersOptions{
55//	    CSPConnectSrc: []string{"'self'", "https://api.example.com"},
56//	    CustomHeaders: map[string]string{"X-Custom": "value"},
57//	}
58//	handler := bskyoauth.SecurityHeadersMiddlewareWithOptions(opts)(mux)
59func SecurityHeadersMiddlewareWithOptions(opts *SecurityHeadersOptions) func(http.Handler) http.Handler {
60	return internalhttp.SecurityHeadersMiddlewareWithOptions(opts)
61}