rustbasic_core/middleware/
security_headers.rs

1use crate::requests::Request;
2use crate::middleware::Next;
3use crate::router::Response;
4use http::header;
5
6pub async fn security_headers_middleware(
7    req: Request,
8    next: Next,
9) -> Response {
10    let mut response = next.run(req).await;
11    
12    let headers = response.headers_mut();
13    
14    // 1. Mencegah Clickjacking (SAMEORIGIN adalah standar industri untuk fleksibilitas internal)
15    headers.insert(header::X_FRAME_OPTIONS, "SAMEORIGIN".parse().unwrap());
16    
17    // 2. Mencegah MIME Sniffing
18    headers.insert(header::X_CONTENT_TYPE_OPTIONS, "nosniff".parse().unwrap());
19    
20    // 3. XSS Protection (untuk kompatibilitas browser lama)
21    headers.insert(header::X_XSS_PROTECTION, "1; mode=block".parse().unwrap());
22    
23    // 4. Referrer Policy (Standar modern untuk keamanan kebocoran URL referrer)
24    headers.insert(header::REFERRER_POLICY, "strict-origin-when-cross-origin".parse().unwrap());
25    
26    // 5. Permissions Policy (Membatasi akses API sensor hardware sensitif)
27    headers.insert(
28        http::header::HeaderName::from_static("permissions-policy"),
29        "camera=(), microphone=(), geolocation=(), payment=()".parse().unwrap()
30    );
31    
32    let cfg = crate::Config::load();
33    
34    // 6. Strict-Transport-Security (HSTS - Wajib HTTPS di mode Produksi)
35    if !cfg.app_debug {
36        headers.insert(
37            header::STRICT_TRANSPORT_SECURITY,
38            "max-age=31536000; includeSubDomains; preload".parse().unwrap()
39        );
40    }
41    let csp = if cfg.app_debug {
42        let port = cfg.vite_port;
43        let host = &cfg.app_host;
44        let extra_hosts = if host != "0.0.0.0" && host != "127.0.0.1" && host != "localhost" && !host.is_empty() {
45            format!("http://{}:{} ws://{}:{} ", host, port, host, port)
46        } else {
47            "".to_string()
48        };
49
50        format!(
51            "default-src 'self'; \
52             script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:{} http://127.0.0.1:{} {}https:; \
53             style-src 'self' 'unsafe-inline' http://localhost:{} http://127.0.0.1:{} {}https:; \
54             font-src 'self' https: data:; \
55             img-src 'self' data: https:; \
56             frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; \
57             connect-src 'self' ws://localhost:{} ws://127.0.0.1:{} http://localhost:{} http://127.0.0.1:{} {}https:;",
58            port, port, extra_hosts,
59            port, port, extra_hosts,
60            port, port, port, port, extra_hosts
61        )
62    } else {
63        "default-src 'self'; \
64         script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; \
65         style-src 'self' 'unsafe-inline' https:; \
66         font-src 'self' https: data:; \
67         img-src 'self' data: https:; \
68         frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; \
69         connect-src 'self' https:;".to_string()
70    };
71    headers.insert(header::CONTENT_SECURITY_POLICY, csp.parse().unwrap());
72    
73    response
74}
rustbasic_core/middleware/security_headers.rs

rustbasic_core/middleware/
security_headers.rs
