d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c1fe6ec6e3a7b22d8d7f9f089ca0104f907da218
explorer-monorepo/backend/api/middleware/security.go
defiQUG a53c15507f fix: API JSON error responses + navbar with dropdowns 
- Add backend/libs/go-http-errors for consistent JSON errors
- REST API: use writeMethodNotAllowed, writeNotFound, writeInternalError
- middleware, gateway, search: use httperrors.WriteJSON
- SPA: navbar with Explore/Tools/More dropdowns, initNavDropdowns()
- Next.js: Navbar component with dropdowns + mobile menu

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-16 03:09:53 -08:00

66 lines
2.4 KiB
Go
Raw Blame History

package middleware
import (
"net/http"
"strings"
httperrors "github.com/explorer/backend/libs/go-http-errors"
)
// SecurityMiddleware adds security headers
type SecurityMiddleware struct{}
// NewSecurityMiddleware creates a new security middleware
func NewSecurityMiddleware() *SecurityMiddleware {
return &SecurityMiddleware{}
}
// AddSecurityHeaders adds security headers to responses
func (m *SecurityMiddleware) AddSecurityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Content Security Policy
// unsafe-eval required by ethers.js v5 UMD from CDN (ABI decoding)
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self' https://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;")
// X-Frame-Options (click-jacking protection)
w.Header().Set("X-Frame-Options", "DENY")
// X-Content-Type-Options
w.Header().Set("X-Content-Type-Options", "nosniff")
// X-XSS-Protection
w.Header().Set("X-XSS-Protection", "1; mode=block")
// Strict-Transport-Security
w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
// Referrer-Policy
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
// Permissions-Policy
w.Header().Set("Permissions-Policy", "geolocation=(), microphone=(), camera=()")
next.ServeHTTP(w, r)
})
}
// BlockWriteCalls blocks contract write calls except WETH operations
func (m *SecurityMiddleware) BlockWriteCalls(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Only apply to POST requests (write operations)
if r.Method == http.MethodPost {
// Check if this is a WETH operation (allowed)
path := r.URL.Path
if !strings.Contains(path, "weth") && !strings.Contains(path, "wrap") && !strings.Contains(path, "unwrap") {
// Block other write operations for Track 1
if strings.HasPrefix(path, "/api/v1/track1") {
httperrors.WriteJSON(w, http.StatusForbidden, "FORBIDDEN", "Write operations not allowed for Track 1 (public)")
return
}
}
}
next.ServeHTTP(w, r)
})
}
Reference in New Issue View Git Blame Copy Permalink