Contents

Security Headers Implementation

Comprehensive HTTP security headers for admin interfaces and proxy operations

🛡️ Overview

The security headers middleware provides comprehensive HTTP security headers to protect against common web vulnerabilities while maintaining optimal functionality for both administrative interfaces and proxy operations.

Key Features: Two-tier security model, CORS support, CSP policies, and comprehensive protection headers.

🏗️ Architecture

Two-Tier Security Model

🔒 Strict Security Profile

Applied to administrative endpoints with enhanced protections

🎭 Permissive Security Profile

Applied to proxy operations for Microsoft compatibility

Administrative Endpoints

/admin/ /ws /logs/ /fleet/ /vps/ /api/metrics/ /api/security/ /api/admin/

🔐 Content Security Policy

Administrative Endpoints Policy

default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' wss: ws:;
frame-ancestors 'none';
base-uri 'self'

Proxy Endpoints Policy

default-src 'self' *.microsoft.com *.microsoftonline.com *.live.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.microsoft.com *.microsoftonline.com;
style-src 'self' 'unsafe-inline' *.microsoft.com *.microsoftonline.com;
img-src 'self' data: https: *.microsoft.com *.microsoftonline.com;
connect-src 'self' wss: ws: *.microsoft.com *.microsoftonline.com;
frame-ancestors 'self';
base-uri 'self'

🛡️ Security Headers

X-Frame-Options

SAMEORIGIN

Prevents clickjacking attacks

X-Content-Type-Options

nosniff

Prevents MIME type confusion

X-XSS-Protection

1; mode=block

Enables XSS filtering

Referrer Policy

strict-origin-when-cross-origin

Controls referrer disclosure

HSTS

max-age=31536000; includeSubDomains

Enforces HTTPS connections

Permissions Policy

camera=(), microphone=(), ...

Disables dangerous features

🌐 CORS Configuration

Allowed Origins

  • • Administrative domains
  • • Production domains
  • • Development localhost

Allowed Methods

  • • GET, POST
  • • PUT, DELETE
  • • OPTIONS

Custom Headers

  • • X-Firestore-Proof
  • • X-License-Key
  • • Authorization

⚡ Credentials Support

CORS credentials are enabled with 24-hour cache (86400 seconds) for authenticated requests.

⚙️ Implementation Details

Middleware Integration

// Applied to all requests via middleware wrapper
secureMux := http.NewServeMux()
secureMux.Handle("/", utils.SecurityHeaders(mux))

Endpoint Classification

func isAdminEndpoint(path string) bool {
    adminPaths := []string{"/admin/", "/ws", "/logs/", "/api/admin/", 
                           "/fleet/", "/vps/", "/api/metrics/", "/api/security/"}
    // Path prefix matching logic
}

CORS Preflight Handling

if r.Method == "OPTIONS" {
    w.WriteHeader(http.StatusOK)
    return
}

🎯 Security Benefits

Administrative Protection

Clickjacking Prevention

Frame ancestors restrictions

XSS Mitigation

Script source controls

CSRF Protection

Referrer policy and CORS controls

Proxy Compatibility

Microsoft Domain Support

Allows legitimate Microsoft resources

Embedding Capability

Supports iframe embedding

Resource Loading

Permits necessary external resources

🔧 Troubleshooting

CORS Errors

  • • Verify origin is in allowed list
  • • Check credentials configuration
  • • Ensure preflight requests are handled

CSP Violations

  • • Review blocked resources in browser console
  • • Adjust policies for legitimate requirements
  • • Test with development tools

WebSocket Issues

  • • Verify connect-src includes WebSocket protocols
  • • Check for proxy or firewall interference
  • • Validate authentication headers

Header Verification

curl -I https://your-domain.com/admin/
← Security Features Back to Documentation →