feat: add CSP header (#908)

Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
2026-02-14 15:52:31 +00:00 · 2025-09-07 20:45:06 +02:00
parent 74b39e16f9
commit 6215e1ac01
9 changed files with 343 additions and 102 deletions
--- a/backend/internal/middleware/csp_middleware.go
+++ b/backend/internal/middleware/csp_middleware.go
@@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+
+	"github.com/gin-gonic/gin"
+)
+
+// CspMiddleware sets a Content Security Policy header and, when possible,
+// includes a per-request nonce for inline scripts.
+type CspMiddleware struct{}
+
+func NewCspMiddleware() *CspMiddleware { return &CspMiddleware{} }
+
+// GetCSPNonce returns the CSP nonce generated for this request, if any.
+func GetCSPNonce(c *gin.Context) string {
+	if v, ok := c.Get("csp_nonce"); ok {
+		if s, ok := v.(string); ok {
+			return s
+		}
+	}
+	return ""
+}
+
+func (m *CspMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Generate a random base64 nonce for this request
+		nonce := generateNonce()
+		c.Set("csp_nonce", nonce)
+
+		csp := "default-src 'self'; " +
+			"base-uri 'self'; " +
+			"object-src 'none'; " +
+			"frame-ancestors 'none'; " +
+			"form-action 'self'; " +
+			"img-src 'self' data: blob:; " +
+			"font-src 'self'; " +
+			"style-src 'self' 'unsafe-inline'; " +
+			"script-src 'self' 'nonce-" + nonce + "'"
+
+		c.Writer.Header().Set("Content-Security-Policy", csp)
+		c.Next()
+	}
+}
+
+func generateNonce() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return "" // if generation fails, return empty; policy will omit nonce
+	}
+	return base64.RawURLEncoding.EncodeToString(b)
+}