oatpp-authkit/include/oatpp-authkit/interceptor/SecurityHeadersInterceptor.hpp

#ifndef SecurityHeadersInterceptor_hpp
#define SecurityHeadersInterceptor_hpp

#include "oatpp/web/server/interceptor/ResponseInterceptor.hpp"

namespace oatpp_authkit {

/**
 * @brief Response interceptor that adds standard security headers to all responses.
 *
 * Headers added:
 * - X-Content-Type-Options: nosniff — prevents MIME type sniffing
 * - X-Frame-Options: SAMEORIGIN — prevents clickjacking
 * - Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
 * - Content-Security-Policy — restricts resource loading sources
 */
class SecurityHeadersInterceptor : public oatpp::web::server::interceptor::ResponseInterceptor {
public:
    std::shared_ptr<OutgoingResponse> intercept(
            const std::shared_ptr<IncomingRequest>& request,
            const std::shared_ptr<OutgoingResponse>& response) override {
        response->putHeader("X-Content-Type-Options", "nosniff");
        response->putHeader("X-Frame-Options", "SAMEORIGIN");
        response->putHeader("Referrer-Policy", "strict-origin-when-cross-origin");
        response->putHeader("Content-Security-Policy",
            "default-src 'self'; "
            "script-src 'self' 'unsafe-inline' https://unpkg.com; "
            "style-src 'self' 'unsafe-inline' https://unpkg.com; "
            "img-src 'self' data: https:; "
            "connect-src 'self' wss: ws:; "
            "font-src 'self'; "
            "frame-ancestors 'self'; "
            "base-uri 'self'; "
            "form-action 'self'");
        response->putHeader("Strict-Transport-Security",
            "max-age=63072000; includeSubDomains");
        return response;
    }
};

} // namespace oatpp_authkit

#endif