package middleware

import (
	"strings"

	"github.com/gofiber/fiber/v2"
)

// SecurityHeaders sets common HTTP security headers on every response.
func SecurityHeaders(c *fiber.Ctx) error {
	c.Set("X-Content-Type-Options", "nosniff")
	c.Set("X-Frame-Options", "DENY")
	c.Set("X-XSS-Protection", "0")
	c.Set("Referrer-Policy", "strict-origin-when-cross-origin")

	if strings.HasPrefix(c.Path(), "/swagger") {
		c.Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'")
	} else {
		c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
	}

	c.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
	return c.Next()
}