Bezbednost — security headers, fail2ban logovanje, bruteforce zaštita, CSRF zaštita

2026-06-03 21:38:16 +02:00
parent 974d76360a
commit ed7ae605b2
15 changed files with 352 additions and 18 deletions
@@ -0,0 +1,24 @@
+package middleware
+
+import "net/http"
+
+// BezbednostHeaders dodaje standardne HTTP security headere na svaki odgovor
+func BezbednostHeaders() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			h := w.Header()
+			h.Set("X-Frame-Options", "DENY")
+			h.Set("X-Content-Type-Options", "nosniff")
+			h.Set("X-XSS-Protection", "1; mode=block")
+			h.Set("Referrer-Policy", "strict-origin-when-cross-origin")
+			h.Set("Content-Security-Policy",
+				"default-src 'self'; "+
+					"style-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; "+
+					"script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "+
+					"img-src 'self' data: blob:; "+
+					"font-src 'self'; "+
+					"connect-src 'self'")
+			next.ServeHTTP(w, r)
+		})
+	}
+}
@@ -0,0 +1,69 @@
+package middleware
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"net/http"
+)
+
+const csrfKolacic = "ntech_csrf"
+
+type csrfKljucTip struct{}
+
+var csrfKljuc = csrfKljucTip{}
+
+// CsrfToken vraća CSRF token iz konteksta zahteva (postavlja ga CsrfMiddleware)
+func CsrfToken(ctx context.Context) string {
+	if v, ok := ctx.Value(csrfKljuc).(string); ok {
+		return v
+	}
+	return ""
+}
+
+// CsrfMiddleware generiše i validira CSRF tokene metodom cookie + skriveno polje
+func CsrfMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// čita postojeći ili generiše novi token
+		token := ""
+		if k, err := r.Cookie(csrfKolacic); err == nil && k.Value != "" {
+			token = k.Value
+		} else {
+			b := make([]byte, 32)
+			if _, err := rand.Read(b); err == nil {
+				token = base64.RawURLEncoding.EncodeToString(b)
+				http.SetCookie(w, &http.Cookie{
+					Name:     csrfKolacic,
+					Value:    token,
+					Path:     "/",
+					MaxAge:   86400 * 30,
+					HttpOnly: true,
+					SameSite: http.SameSiteStrictMode,
+				})
+			}
+		}
+
+		// ubacujemo token u context radi dostupnosti u handlerima i šablonima
+		ctx := context.WithValue(r.Context(), csrfKljuc, token)
+		r = r.WithContext(ctx)
+
+		// validiramo na svim mutabilnim HTTP metodama
+		switch r.Method {
+		case http.MethodPost, http.MethodPut, http.MethodPatch, http.MethodDelete:
+			// čitamo token iz tela forme ili zaglavlja (za AJAX)
+			submitted := r.FormValue("_csrf")
+			if submitted == "" {
+				submitted = r.Header.Get("X-CSRF-Token")
+			}
+			if token == "" || submitted != token {
+				http.Error(w,
+					"Neispravan sigurnosni token. Osvežite stranicu i pokušajte ponovo.",
+					http.StatusForbidden,
+				)
+				return
+			}
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}