Add secure middleware, with sensible values

server/middlewares.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/deluan/navidrome/log"
 	"github.com/go-chi/chi/middleware"
+	"github.com/unrolled/secure"
 )
 
 func requestLogger(next http.Handler) http.Handler {
@@ -46,6 +47,14 @@ func requestLogger(next http.Handler) http.Handler {
 	})
 }
 
+func injectLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		ctx = log.NewContext(r.Context(), "requestId", ctx.Value(middleware.RequestIDKey))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
 func robotsTXT(fs http.FileSystem) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -58,3 +67,14 @@ func robotsTXT(fs http.FileSystem) func(next http.Handler) http.Handler {
 		})
 	}
 }
+
+func secureMiddleware() func(h http.Handler) http.Handler {
+	sec := secure.New(secure.Options{
+		ContentTypeNosniff:    true,
+		FrameDeny:             true,
+		ReferrerPolicy:        "same-origin",
+		FeaturePolicy:         "autoplay 'none'; camera: 'none'; display-capture 'none'; microphone: 'none'; usb: 'none'",
+		ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
+	})
+	return sec.Handler
+}

server/server.go

@@ -53,6 +53,7 @@ func (a *Server) Run(addr string) {
 func (a *Server) initRoutes() {
 	r := chi.NewRouter()
 
+	r.Use(secureMiddleware())
 	r.Use(cors.AllowAll().Handler)
 	r.Use(middleware.RequestID)
 	r.Use(middleware.RealIP)
@@ -88,11 +89,3 @@ func (a *Server) initScanner() {
 		}
 	}()
 }
-
-func injectLogger(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx := r.Context()
-		ctx = log.NewContext(r.Context(), "requestId", ctx.Value(middleware.RequestIDKey))
-		next.ServeHTTP(w, r.WithContext(ctx))
-	})
-}