Sicherheits header gesetzt

main.go

@@ -21,19 +21,38 @@ func main() {
 	}
 
 	// Set up routes
-	http.HandleFunc("/", handleRoot)
+	mux := http.NewServeMux()
-	http.HandleFunc("/config", handleConfig)
+	mux.HandleFunc("/", handleRoot)
-	http.HandleFunc("/popup", handlePopupInstructions)
+	mux.HandleFunc("/config", handleConfig)
-	http.HandleFunc("/search", handleSearch)
+	mux.HandleFunc("/popup", handlePopupInstructions)
-	http.HandleFunc("/favicon.ico", handleFavicon)
+	mux.HandleFunc("/search", handleSearch)
+	mux.HandleFunc("/favicon.ico", handleFavicon)
 
 	// Serve static files from 'public' directory
 	fs := http.FileServer(http.Dir("./public"))
-	http.Handle("/public/", http.StripPrefix("/public/", fs))
+	mux.Handle("/public/", http.StripPrefix("/public/", fs))
+
+	// Wende die Sicherheitsheader-Middleware auf alle Routen an
+	secureMux := secureHeaders(mux)
 
 	// Start the server
 	log.Printf("Server is running at http://0.0.0.0:%s\n", port)
-	log.Fatal(http.ListenAndServe("0.0.0.0:"+port, nil))
+	log.Fatal(http.ListenAndServe("0.0.0.0:"+port, secureMux))
+}
+
+// Middleware für Sicherheitsheader
+func secureHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Setze die Sicherheitsheader
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:;")
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+
+		// Führe den nächsten Handler aus
+		next.ServeHTTP(w, r)
+	})
 }
 
 func handleRoot(w http.ResponseWriter, r *http.Request) {