From 15fe5db50ee42decad5633c5bc3e8c3a6d527f51 Mon Sep 17 00:00:00 2001 From: Tiago Yamamoto Date: Sun, 14 Dec 2025 09:04:19 -0300 Subject: [PATCH] fix(backend): relax CSP for Swagger UI docs - Allow 'unsafe-inline' and 'unsafe-eval' scripts on /docs routes - Swagger UI requires inline scripts to function properly - Keep strict CSP for all other API routes --- .../internal/middleware/security_headers.go | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/backend/internal/middleware/security_headers.go b/backend/internal/middleware/security_headers.go index a708c3d..98a33af 100644 --- a/backend/internal/middleware/security_headers.go +++ b/backend/internal/middleware/security_headers.go @@ -1,13 +1,20 @@ package middleware -import "net/http" +import ( + "net/http" + "strings" +) // SecurityHeadersMiddleware adds essential security headers to all responses // Based on OWASP guidelines func SecurityHeadersMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Prevent clickjacking - w.Header().Set("X-Frame-Options", "DENY") + // Prevent clickjacking (allow framing for Swagger UI) + if strings.HasPrefix(r.URL.Path, "/docs") { + w.Header().Set("X-Frame-Options", "SAMEORIGIN") + } else { + w.Header().Set("X-Frame-Options", "DENY") + } // Prevent MIME sniffing w.Header().Set("X-Content-Type-Options", "nosniff") @@ -21,8 +28,13 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler { // Permissions policy (disable potentially dangerous features) w.Header().Set("Permissions-Policy", "geolocation=(), microphone=(), camera=()") - // Content Security Policy - adjust as needed for your frontend - w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'") + // Content Security Policy - relaxed for Swagger UI docs + if strings.HasPrefix(r.URL.Path, "/docs") { + // Swagger UI needs unsafe-inline and unsafe-eval for its scripts + w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:") + } else { + w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'") + } // HSTS - uncomment in production with HTTPS // w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")