Harden for public deployment behind a reverse proxy

The session cookie now sets the Secure attribute (server.secure_cookies, default true). Adds chi RealIP and Recoverer middleware plus a securityHeaders middleware that emits a Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on every response. HSTS is intentionally left to the TLS-terminating proxy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:10:50 -07:00
parent 1ae2c50b9a
commit fd1682e11b
4 changed files with 91 additions and 10 deletions
--- a/go.mod
+++ b/go.mod
@@ -3,21 +3,24 @@ module veola
 go 1.25.0

 require (
-	github.com/BurntSushi/toml v1.6.0 // indirect
-	github.com/a-h/templ v0.3.1020 // indirect
-	github.com/alexedwards/scs/sqlite3store v0.0.0-20251002162104-209de6e426de // indirect
-	github.com/alexedwards/scs/v2 v2.9.0 // indirect
+	github.com/BurntSushi/toml v1.6.0
+	github.com/a-h/templ v0.3.1020
+	github.com/alexedwards/scs/sqlite3store v0.0.0-20251002162104-209de6e426de
+	github.com/alexedwards/scs/v2 v2.9.0
+	github.com/go-chi/chi/v5 v5.2.5
+	github.com/robfig/cron/v3 v3.0.1
+	golang.org/x/crypto v0.51.0
+	modernc.org/sqlite v1.50.0
+)
+
+require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/go-chi/chi/v5 v5.2.5 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/robfig/cron/v3 v3.0.1 // indirect
-	golang.org/x/crypto v0.51.0 // indirect
 	golang.org/x/sys v0.44.0 // indirect
 	modernc.org/libc v1.72.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.50.0 // indirect
 )