Skip to content

fix(security): add security headers, fix CORS credentials, set SameSite on admin cookie#573

Merged
lakhansamani merged 1 commit intomainfrom
fix/http-security-headers
Apr 5, 2026
Merged

fix(security): add security headers, fix CORS credentials, set SameSite on admin cookie#573
lakhansamani merged 1 commit intomainfrom
fix/http-security-headers

Conversation

@lakhansamani
Copy link
Copy Markdown
Contributor

@lakhansamani lakhansamani commented Apr 4, 2026

Summary

  • Security Headers (MEDIUM): New middleware adds X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, X-XSS-Protection: 0
  • CORS Credentials (MEDIUM): Access-Control-Allow-Credentials: true is now only set when a specific validated origin matches (not unconditionally)
  • Admin Cookie SameSite (MEDIUM): Admin cookies now set SameSite=Strict to prevent cross-origin admin session usage

Files Changed

  • internal/http_handlers/security_headers.go — new middleware
  • internal/http_handlers/provider.go — interface update
  • internal/server/http_routes.go — middleware registration
  • internal/http_handlers/cors.go — conditional credentials header
  • internal/cookie/admin_cookie.go — SameSite=Strict

Test plan

  • make test-sqlite passes (no regressions)
  • Verify security headers present in HTTP responses
  • Verify CORS still works for configured origins
  • Verify admin dashboard login still works

@lakhansamani lakhansamani merged commit 431a557 into main Apr 5, 2026
@lakhansamani lakhansamani deleted the fix/http-security-headers branch April 5, 2026 01:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lakhansamani