chore: sync repository to current working state
Some checks failed
Build and Test / Build Server (Linux) (push) Has been cancelled
Build and Test / Build Agent (Windows) (push) Has been cancelled
Build and Test / Security Audit (push) Has been cancelled
Build and Test / Build Summary (push) Has been cancelled
Run Tests / Test Server (push) Has been cancelled
Run Tests / Test Agent (push) Has been cancelled
Run Tests / Code Coverage (push) Has been cancelled
Run Tests / Lint and Format Check (push) Has been cancelled
Some checks failed
Build and Test / Build Server (Linux) (push) Has been cancelled
Build and Test / Build Agent (Windows) (push) Has been cancelled
Build and Test / Security Audit (push) Has been cancelled
Build and Test / Build Summary (push) Has been cancelled
Run Tests / Test Server (push) Has been cancelled
Run Tests / Test Agent (push) Has been cancelled
Run Tests / Code Coverage (push) Has been cancelled
Run Tests / Lint and Format Check (push) Has been cancelled
Brings azcomputerguru/guru-connect up to the authoritative working copy that had been maintained in the claudetools monorepo: Phase 1 security and infrastructure (middleware, metrics, utils, token blacklist, deployment scripts, security audits) plus the native-remote-control integration spec. Preserves the repo .gitignore, .cargo, and server/static/downloads. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
75
server/src/middleware/security_headers.rs
Normal file
75
server/src/middleware/security_headers.rs
Normal file
@@ -0,0 +1,75 @@
|
||||
//! Security headers middleware
|
||||
//!
|
||||
//! SEC-7: XSS Prevention via Content-Security-Policy
|
||||
//! SEC-12: Additional security headers
|
||||
|
||||
use axum::{
|
||||
extract::Request,
|
||||
middleware::Next,
|
||||
response::Response,
|
||||
};
|
||||
|
||||
/// Add security headers to all responses
|
||||
pub async fn add_security_headers(
|
||||
request: Request,
|
||||
next: Next,
|
||||
) -> Response {
|
||||
let mut response = next.run(request).await;
|
||||
let headers = response.headers_mut();
|
||||
|
||||
// SEC-7: Content Security Policy (XSS Prevention)
|
||||
// This CSP allows inline scripts/styles (needed for dashboard) but blocks external resources
|
||||
headers.insert(
|
||||
"Content-Security-Policy",
|
||||
"default-src 'self'; \
|
||||
script-src 'self' 'unsafe-inline'; \
|
||||
style-src 'self' 'unsafe-inline'; \
|
||||
img-src 'self' data:; \
|
||||
font-src 'self'; \
|
||||
connect-src 'self' ws: wss:; \
|
||||
frame-ancestors 'none'; \
|
||||
base-uri 'self'; \
|
||||
form-action 'self'"
|
||||
.parse()
|
||||
.unwrap(),
|
||||
);
|
||||
|
||||
// SEC-12: X-Frame-Options (Clickjacking protection)
|
||||
headers.insert(
|
||||
"X-Frame-Options",
|
||||
"DENY".parse().unwrap(),
|
||||
);
|
||||
|
||||
// SEC-12: X-Content-Type-Options (MIME sniffing protection)
|
||||
headers.insert(
|
||||
"X-Content-Type-Options",
|
||||
"nosniff".parse().unwrap(),
|
||||
);
|
||||
|
||||
// SEC-12: X-XSS-Protection (Legacy XSS filter - deprecated but still useful)
|
||||
headers.insert(
|
||||
"X-XSS-Protection",
|
||||
"1; mode=block".parse().unwrap(),
|
||||
);
|
||||
|
||||
// SEC-12: Referrer-Policy (Control referrer information)
|
||||
headers.insert(
|
||||
"Referrer-Policy",
|
||||
"strict-origin-when-cross-origin".parse().unwrap(),
|
||||
);
|
||||
|
||||
// SEC-12: Permissions-Policy (Feature policy)
|
||||
headers.insert(
|
||||
"Permissions-Policy",
|
||||
"geolocation=(), microphone=(), camera=()".parse().unwrap(),
|
||||
);
|
||||
|
||||
// SEC-10: Strict-Transport-Security (HSTS - only when using HTTPS)
|
||||
// Uncomment when HTTPS is enabled:
|
||||
// headers.insert(
|
||||
// "Strict-Transport-Security",
|
||||
// "max-age=31536000; includeSubDomains; preload".parse().unwrap(),
|
||||
// );
|
||||
|
||||
response
|
||||
}
|
||||
Reference in New Issue
Block a user