Security

X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Referrer-Policy: strict-origin-when-cross-origin

import "github.com/go-mizu/mizu/middlewares/helmet"

app.Use(helmet.Default())

app.Use(frontend.WithOptions(frontend.Options{
    SecurityHeaders: false,  // Avoid duplicates
}))

app.Use(helmet.WithOptions(helmet.Options{
    ContentSecurityPolicy: &helmet.CSPOptions{
        Directives: map[string][]string{
            "default-src": {"'self'"},
            "script-src":  {"'self'", "'unsafe-inline'"},  // Vite needs unsafe-inline in dev
            "style-src":   {"'self'", "'unsafe-inline'"},
            "img-src":     {"'self'", "data:", "https:"},
            "font-src":    {"'self'"},
        },
    },
}))

func getCSP(env string) *helmet.CSPOptions {
    directives := map[string][]string{
        "default-src": {"'self'"},
        "script-src":  {"'self'"},
        "style-src":   {"'self'"},
    }

    if env != "production" {
        directives["script-src"] = append(directives["script-src"], "'unsafe-inline'")
        directives["style-src"] = append(directives["style-src"], "'unsafe-inline'")
    }

    return &helmet.CSPOptions{Directives: directives}
}

import "github.com/go-mizu/mizu/middlewares/secure"

app.Use(secure.WithOptions(secure.Options{
    SSLRedirect: true,  // Redirect HTTP to HTTPS
}))

import "github.com/go-mizu/mizu/middlewares/cors"

app.Use(cors.WithOptions(cors.Options{
    AllowedOrigins: []string{"https://yourdomain.com"},
    AllowedMethods: []string{"GET", "POST", "PUT", "DELETE"},
    AllowedHeaders: []string{"Content-Type", "Authorization"},
}))

app.Use(frontend.WithOptions(frontend.Options{
    SourceMaps: false,  // Default in production
}))

app.Use(secure.Default())

app.Use(helmet.Default())

import "html"

func handleComment(c *mizu.Ctx) error {
    comment := c.FormValue("comment")
    sanitized := html.EscapeString(comment)  // Escape HTML
    // Save sanitized...
}

// React escapes by default
<div>{userInput}</div>  // Safe

// Dangerous:
<div dangerouslySetInnerHTML={{__html: userInput}} />  // Unsafe!

func createUser(c *mizu.Ctx) error {
    email := c.FormValue("email")

    // Validate server-side
    if !isValidEmail(email) {
        return c.JSON(400, map[string]string{"error": "invalid email"})
    }

    // Create user...
}

http.SetCookie(c.Writer(), &http.Cookie{
    Name:     "auth_token",
    Value:    token,
    HttpOnly: true,   // Not accessible via JavaScript
    Secure:   true,   // HTTPS only
    SameSite: http.SameSiteStrictMode,
})

import "github.com/go-mizu/mizu/middlewares/ratelimit"

app.Use(ratelimit.PerMinute(100))