gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 19:48:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(middleware): SEC-008 — Permissions-Policy deny-all-features header

Browse Source 
Acquisition-audit SEC-008 closure (Sprint 2 ACQ, 2026-05-16).

Add Permissions-Policy as a sixth security header alongside HSTS,
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and CSP.
Default value is a deny-all-features baseline:

  accelerometer=(), camera=(), geolocation=(), microphone=(),
  payment=(), usb=(), interest-cohort=()

certctl is a control-plane API + dashboard; no part of the surface
needs camera / microphone / geolocation / accelerometer / payment /
USB access, and `interest-cohort=()` opts out of the deprecated
FLoC browser feature. The deny-all default removes those
attack/fingerprint surfaces if certctl is ever embedded in a
malicious page or if a dashboard route is XSS-compromised
post-CSP-bypass.

Per-field empty-string suppression is preserved: operators who want
to allow a feature (e.g. hardware-attestation flows wanting
WebAuthn's USB transport) can either set Cfg.PermissionsPolicy to
their own narrowed allowlist or set it to "" to suppress the
header entirely.

Tests:
  - TestSecurityHeaders_PermissionsPolicyDefault — pins the literal
    default value byte-for-byte so any widening (e.g. someone adding
    camera=*) breaks the test.
  - TestSecurityHeaders_PermissionsPolicyOverrideToEmptySuppresses —
    pins the operator escape hatch and that the per-field
    suppression contract still holds field-by-field.
  - TestSecurityHeaders_DefaultsAllPresent gains Permissions-Policy
    in its loop, so the existing on-error and on-2xx paths now
    cover the new header too.

The middleware pre-trim slice capacity bumps from 5 → 6 entries.
This commit is contained in:
shankar0123
2026-05-16 17:13:17 +00:00
parent 578ac4ec68
commit 4f2d865b51
2 changed files with 66 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/middleware/securityheaders.go
+17 -1
View File
@@ -25,6 +25,7 @@ type SecurityHeadersConfig struct {
ContentTypeOptions string // X-Content-Type-Options
ReferrerPolicy string // Referrer-Policy
ContentSecurityPolicy string // Content-Security-Policy
PermissionsPolicy string // Permissions-Policy (SEC-008 closure, Sprint 2 ACQ 2026-05-16)
}
// SecurityHeadersDefaults returns a recommended baseline.
@@ -78,6 +79,19 @@ type SecurityHeadersConfig struct {
// Referrer-Policy: no-referrer-when-downgrade — preserves Referer
// for same-origin navigation (useful for support/diagnostics) but
// strips it on HTTPS→HTTP transitions.
//
// Permissions-Policy: deny-all-browser-features default. Acquisition-
// audit SEC-008 closure (Sprint 2 ACQ, 2026-05-16). certctl is a
// control-plane API + dashboard; no part of the surface needs
// access to the camera, microphone, geolocation, accelerometer,
// payment, USB, or the deprecated `interest-cohort` (FLoC) browser
// feature. The deny-all default removes those attack/fingerprint
// surfaces if certctl is ever embedded in a malicious page or if a
// dashboard route is XSS-compromised post-CSP-bypass. Operators
// running certctl with intentional dependence on any of these (e.g.
// hardware-attestation flows wanting WebAuthn's USB transport) can
// set `Cfg.PermissionsPolicy: ""` to suppress the header entirely,
// or override with their own narrowed allowlist.
func SecurityHeadersDefaults() SecurityHeadersConfig {
return SecurityHeadersConfig{
HSTS: "max-age=31536000; includeSubDomains",
@@ -85,6 +99,7 @@ func SecurityHeadersDefaults() SecurityHeadersConfig {
ContentTypeOptions: "nosniff",
ReferrerPolicy: "no-referrer-when-downgrade",
ContentSecurityPolicy: "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; connect-src 'self'; frame-ancestors 'none'",
PermissionsPolicy: "accelerometer=(), camera=(), geolocation=(), microphone=(), payment=(), usb=(), interest-cohort=()",
}
}
@@ -100,7 +115,7 @@ func SecurityHeaders(cfg SecurityHeadersConfig) func(http.Handler) http.Handler
// Pre-trim each value once; the per-request hot path stays a
// straight set of map writes.
type headerEntry struct{ name, value string }
entries := make([]headerEntry, 0, 5)
entries := make([]headerEntry, 0, 6)
add := func(name, value string) {
v := strings.TrimSpace(value)
if v != "" {
@@ -112,6 +127,7 @@ func SecurityHeaders(cfg SecurityHeadersConfig) func(http.Handler) http.Handler
add("X-Content-Type-Options", cfg.ContentTypeOptions)
add("Referrer-Policy", cfg.ReferrerPolicy)
add("Content-Security-Policy", cfg.ContentSecurityPolicy)
add("Permissions-Policy", cfg.PermissionsPolicy)
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {