From 7d8e7005b1e2e0008a7501978cc9e8bd4de19ff5 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Wed, 20 May 2026 10:50:31 +0300
Subject: [PATCH] Refactor response header settings

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 pkg/api/http/cache.go | 1 +
 pkg/api/http/echo.go  | 4 +---
 pkg/api/http/http.go  | 7 +++++++
 pkg/api/http/store.go | 4 +---
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/pkg/api/http/cache.go b/pkg/api/http/cache.go
index 228e858..e335ac5 100644
--- a/pkg/api/http/cache.go
+++ b/pkg/api/http/cache.go
@@ -120,6 +120,7 @@ func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	setRawResponseHeaders(w)
 	w.WriteHeader(http.StatusOK)
 	w.Write([]byte(data))
 }
diff --git a/pkg/api/http/echo.go b/pkg/api/http/echo.go
index 81e3d3c..56305d1 100644
--- a/pkg/api/http/echo.go
+++ b/pkg/api/http/echo.go
@@ -102,9 +102,7 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		s.JSONResponse(w, r, result)
 
 	} else {
-		w.Header().Set("Content-Type", "application/octet-stream")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-		w.Header().Set("Content-Security-Policy", "default-src 'none'")
+		setRawResponseHeaders(w)
 		w.Header().Set("X-Color", s.config.UIColor)
 		w.WriteHeader(http.StatusAccepted)
 		w.Write(body)
diff --git a/pkg/api/http/http.go b/pkg/api/http/http.go
index 360a525..a928655 100644
--- a/pkg/api/http/http.go
+++ b/pkg/api/http/http.go
@@ -87,6 +87,13 @@ func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, span trac
 	w.Write(prettyJSON(body))
 }
 
+// setRawResponseHeaders prevents XSS by ensuring browsers never interpret raw responses as HTML.
+func setRawResponseHeaders(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'")
+}
+
 func prettyJSON(b []byte) []byte {
 	var out bytes.Buffer
 	json.Indent(&out, b, "", "  ")
diff --git a/pkg/api/http/store.go b/pkg/api/http/store.go
index f959be2..5f593bb 100644
--- a/pkg/api/http/store.go
+++ b/pkg/api/http/store.go
@@ -67,9 +67,7 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
 		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
 		return
 	}
-	w.Header().Set("Content-Type", "application/octet-stream")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("Content-Security-Policy", "default-src 'none'")
+	setRawResponseHeaders(w)
 	w.WriteHeader(http.StatusAccepted)
 	w.Write([]byte(content))
 }