Merge pull request #485 from stefanprodan/refactor-headers

Refactor response header settings

pkg/api/http/cache.go

@@ -120,6 +120,7 @@ func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	setRawResponseHeaders(w)
 	w.WriteHeader(http.StatusOK)
 	w.Write([]byte(data))
 }

pkg/api/http/echo.go

@@ -102,9 +102,7 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		s.JSONResponse(w, r, result)
 
 	} else {
-		w.Header().Set("Content-Type", "application/octet-stream")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-		w.Header().Set("Content-Security-Policy", "default-src 'none'")
+		setRawResponseHeaders(w)
 		w.Header().Set("X-Color", s.config.UIColor)
 		w.WriteHeader(http.StatusAccepted)
 		w.Write(body)

pkg/api/http/http.go

@@ -87,6 +87,13 @@ func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, span trac
 	w.Write(prettyJSON(body))
 }
 
+// setRawResponseHeaders prevents XSS by ensuring browsers never interpret raw responses as HTML.
+func setRawResponseHeaders(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'")
+}
+
 func prettyJSON(b []byte) []byte {
 	var out bytes.Buffer
 	json.Indent(&out, b, "", "  ")

pkg/api/http/store.go

@@ -67,9 +67,7 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
 		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
 		return
 	}
-	w.Header().Set("Content-Type", "application/octet-stream")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("Content-Security-Policy", "default-src 'none'")
+	setRawResponseHeaders(w)
 	w.WriteHeader(http.StatusAccepted)
 	w.Write([]byte(content))
 }