Added CSP

internal/middlewares/csp.go

@@ -0,0 +1,43 @@
+package middlewares
+
+import (
+	"GoMembership/internal/config"
+	"GoMembership/pkg/logger"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+func CSPMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		policy := "default-src 'self'; " +
+			"script-src 'self' 'unsafe-inline'" +
+			"style-src 'self' 'unsafe-inline'" +
+			"img-src 'self'" +
+			"font-src 'self'" +
+			"connect-src 'self'; " +
+			"frame-ancestors 'none'; " +
+			"form-action 'self'; " +
+			"base-uri 'self'; " +
+			"upgrade-insecure-requests;"
+
+		if config.Env == "development" {
+			policy += " report-uri /csp-report;"
+			c.Header("Content-Security-Policy-Report-Only", policy)
+		} else {
+			c.Header("Content-Security-Policy", policy)
+		}
+		c.Next()
+	}
+}
+
+func CSPReportHandling(c *gin.Context) {
+	var report map[string]interface{}
+	if err := c.BindJSON(&report); err != nil {
+
+		logger.Error.Printf("Couldn't Bind JSON: %#v", err)
+		return
+	}
+	logger.Info.Printf("CSP Violation: %+v", report)
+	c.Status(http.StatusNoContent)
+}

internal/middlewares/csp_test.go

@@ -0,0 +1,81 @@
+package middlewares
+
+import (
+	"GoMembership/internal/config"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCSPMiddleware(t *testing.T) {
+	// Save the current environment and restore it after the test
+	originalEnv := config.Env
+
+	tests := []struct {
+		name           string
+		environment    string
+		expectedHeader string
+		expectedPolicy string
+	}{
+		{
+			name:           "Development Environment",
+			environment:    "development",
+			expectedHeader: "Content-Security-Policy-Report-Only",
+			expectedPolicy: "default-src 'self'; " +
+				"script-src 'self' 'unsafe-inline'" +
+				"style-src 'self' 'unsafe-inline'" +
+				"img-src 'self'" +
+				"font-src 'self'" +
+				"connect-src 'self'; " +
+				"frame-ancestors 'none'; " +
+				"form-action 'self'; " +
+				"base-uri 'self'; " +
+				"upgrade-insecure-requests; report-uri /csp-report;",
+		},
+		{
+			name:           "Production Environment",
+			environment:    "production",
+			expectedHeader: "Content-Security-Policy",
+			expectedPolicy: "default-src 'self'; " +
+				"script-src 'self' 'unsafe-inline'" +
+				"style-src 'self' 'unsafe-inline'" +
+				"img-src 'self'" +
+				"font-src 'self'" +
+				"connect-src 'self'; " +
+				"frame-ancestors 'none'; " +
+				"form-action 'self'; " +
+				"base-uri 'self'; " +
+				"upgrade-insecure-requests;",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up the test environment
+			config.Env = tt.environment
+
+			// Create a new Gin router with the middleware
+			gin.SetMode(gin.TestMode)
+			router := gin.New()
+			router.Use(CSPMiddleware())
+			router.GET("/test", func(c *gin.Context) {
+				c.String(http.StatusOK, "test")
+			})
+
+			// Create a test request
+			req, _ := http.NewRequest("GET", "/test", nil)
+			w := httptest.NewRecorder()
+
+			// Serve the request
+			router.ServeHTTP(w, req)
+
+			// Check the response
+			assert.Equal(t, http.StatusOK, w.Code)
+			assert.Equal(t, tt.expectedPolicy, w.Header().Get(tt.expectedHeader))
+		})
+	}
+	config.Env = originalEnv
+}