A301/a301_server
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: Swagger UI CSP 완화하여 리소스 로딩 허용
All checks were successful
Server CI/CD / lint-and-build (push) Successful in 15s
Details
Server CI/CD / deploy (push) Successful in 57s
Details

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tolelom
2026-03-17 09:19:26 +09:00
parent fc976dbba8
commit 635dfb3221
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/middleware/security.go
View File

@@ -1,6 +1,10 @@
package middleware package middleware
import "github.com/gofiber/fiber/v2" import (
"strings"
"github.com/gofiber/fiber/v2"
)
// SecurityHeaders sets common HTTP security headers on every response. // SecurityHeaders sets common HTTP security headers on every response.
func SecurityHeaders(c *fiber.Ctx) error { func SecurityHeaders(c *fiber.Ctx) error {
@@ -8,7 +12,13 @@ func SecurityHeaders(c *fiber.Ctx) error {
c.Set("X-Frame-Options", "DENY") c.Set("X-Frame-Options", "DENY")
c.Set("X-XSS-Protection", "0") c.Set("X-XSS-Protection", "0")
c.Set("Referrer-Policy", "strict-origin-when-cross-origin") c.Set("Referrer-Policy", "strict-origin-when-cross-origin")
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
if strings.HasPrefix(c.Path(), "/swagger") {
c.Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'")
} else {
c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
}
c.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") c.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
return c.Next() return c.Next()
} }