core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
eecce56c13
molecule-core/workspace-server/internal/middleware/securityheaders.go
Hongming Wang 479a027e4b chore: open-source restructure — rename dirs, remove internal files, scrub secrets 
Renames:
- platform/ → workspace-server/ (Go module path stays as "platform" for
  external dep compat — will update after plugin module republish)
- workspace-template/ → workspace/

Removed (moved to separate repos or deleted):
- PLAN.md — internal roadmap (move to private project board)
- HANDOFF.md, AGENTS.md — one-time internal session docs
- .claude/ — gitignored entirely (local agent config)
- infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy
- org-templates/molecule-dev/ → standalone template repo
- .mcp-eval/ → molecule-mcp-server repo
- test-results/ — ephemeral, gitignored

Security scrubbing:
- Cloudflare account/zone/KV IDs → placeholders
- Real EC2 IPs → <EC2_IP> in all docs
- CF token prefix, Neon project ID, Fly app names → redacted
- Langfuse dev credentials → parameterized
- Personal runner username/machine name → generic

Community files:
- CONTRIBUTING.md — build, test, branch conventions
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1

All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml,
README, CLAUDE.md updated for new directory names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-18 00:24:44 -07:00

104 lines
4.2 KiB
Go
Raw Blame History

package middleware
import (
"strings"
"github.com/gin-gonic/gin"
)
// apiPrefixes lists the URL path prefixes that are served by Go platform
// handlers (JSON/binary responses). Canvas-proxied routes (Next.js HTML) are
// everything not in this list — they require 'unsafe-inline' for hydration.
//
// Keep this in sync with the routes registered in router/router.go. A path
// not on this list gets the permissive (canvas-compatible) CSP, which is
// acceptable: adding a new API prefix here is an opt-in tightening, never a
// silent breakage.
var apiPrefixes = []string{
"/workspaces",
"/registry",
"/health",
"/admin",
"/metrics",
"/settings",
"/bundles",
"/org",
"/orgs", // #610 — per-org plugin allowlist routes
"/templates",
"/plugins",
"/webhooks",
"/channels",
"/ws",
"/events",
"/approvals",
}
// isAPIPath reports whether a URL path belongs to a Go platform handler.
// Such paths return JSON and do not need 'unsafe-inline' in their CSP.
// Canvas-proxied paths (NoRoute → Next.js) are anything not matched here.
func isAPIPath(path string) bool {
for _, prefix := range apiPrefixes {
if path == prefix || strings.HasPrefix(path, prefix+"/") {
return true
}
}
return false
}
// SecurityHeaders returns a Gin middleware that sets standard HTTP security
// headers on every response to mitigate common web-application attacks:
//
// - X-Content-Type-Options: nosniff — prevents MIME-type sniffing
// - X-Frame-Options: DENY — blocks iframe embedding (clickjacking)
// - Content-Security-Policy — two tiers (see below)
// - Strict-Transport-Security: max-age=31536000; includeSubDomains — enforces HTTPS for 1 year
// - Referrer-Policy: strict-origin-when-cross-origin — avoids leaking full paths/queries in Referer
// - Permissions-Policy: camera=(), microphone=(), geolocation=() — denies sensor access for embedded content
//
// CSP tiers (fix for #450):
//
// 1. API routes (/workspaces, /registry, /health, …) — return JSON, not HTML.
// Strict "default-src 'self'" with no unsafe directives. XSS in a JSON
// response body is not executable without being reflected into an HTML
// page, so the permissive directives would only provide false assurance.
//
// 2. Canvas-proxied routes (NoRoute → Next.js) — serve HTML with inline
// scripts required for Next.js hydration. 'unsafe-inline' is kept here
// because removing it breaks the canvas. 'unsafe-eval' was dropped after
// confirming the production build renders without it.
func SecurityHeaders() gin.HandlerFunc {
return func(c *gin.Context) {
c.Header("X-Content-Type-Options", "nosniff")
c.Header("X-Frame-Options", "DENY")
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
// #282: Referrer-Policy prevents browsers from leaking the full Referer
// URL to cross-origin resources (which can expose internal paths/queries).
// Permissions-Policy denies sensor access by default — especially relevant
// because the canvas embeds iframes for Langfuse traces.
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
c.Header("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
// #450: differentiate CSP by route type.
if isAPIPath(c.Request.URL.Path) {
// API routes return JSON — no inline scripts are ever needed.
// A strict CSP here is meaningful: it prevents a hypothetical
// reflected-XSS payload in an error message from executing if
// the JSON is ever mistakenly served with a text/html content-type.
c.Header("Content-Security-Policy", "default-src 'self'")
} else {
// Canvas routes (NoRoute → reverse-proxy to Next.js) serve HTML
// that requires inline script injection for React hydration.
// 'unsafe-eval' was deliberately removed — Next.js production
// builds do not require it; only the dev server does.
c.Header("Content-Security-Policy",
"default-src 'self'; "+
"script-src 'self' 'unsafe-inline'; "+
"style-src 'self' 'unsafe-inline'; "+
"img-src 'self' data: blob:; "+
"connect-src 'self' ws: wss:; "+
"font-src 'self' data:")
}
c.Next()
}
}
View Git Blame Copy Permalink