kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge SEC-10: add Permissions-Policy header

Browse Source
This commit is contained in:
Kyle Isom
2026-03-13 00:49:34 -07:00
parent 482300b8b1 30fc3470fa
commit 8840317cce
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/ui/ui.go
View File

@@ -564,6 +564,9 @@ func noDirListing(next http.Handler) http.Handler {
// requests to this origin for two years, preventing TLS-strip on revisit.
// - Referrer-Policy: suppresses the Referer header on outbound navigations so
// JWTs or session identifiers embedded in URLs are not leaked to third parties.
// - Permissions-Policy: disables browser features (camera, microphone,
// geolocation, payment) that this application does not use, reducing the
// attack surface if a content-injection vulnerability is exploited.
func securityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
h := w.Header()
@@ -573,6 +576,7 @@ func securityHeaders(next http.Handler) http.Handler {
h.Set("X-Frame-Options", "DENY")
h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
h.Set("Referrer-Policy", "no-referrer")
h.Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()")
next.ServeHTTP(w, r)
})
}