From 463cc80c05fcd6d0ea786bb7fbc252905f9dadd2 Mon Sep 17 00:00:00 2001
From: Emil Lerch <emil@lerch.org>
Date: Wed, 15 Oct 2025 15:03:06 -0700
Subject: [PATCH] add security headers to requests

---
 src/main.zig | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/main.zig b/src/main.zig
index c9eb6dc..3dfc30a 100644
--- a/src/main.zig
+++ b/src/main.zig
@@ -25,7 +25,9 @@ pub fn main() !void {
     defer server.deinit();
 
     // API routes
-    var router = try server.router(.{});
+    var security_headers = SecurityHeaders{};
+    const security_middleware = httpz.Middleware(*root.NotmuchDb).init(&security_headers);
+    var router = try server.router(.{ .middlewares = &.{security_middleware} });
     router.get("/api/query/*", queryHandler, .{});
     router.get("/api/thread/:thread_id", threadHandler, .{});
     router.get("/api/message/:message_id", messageHandler, .{});
@@ -36,6 +38,17 @@ pub fn main() !void {
     try server.listen();
 }
 
+const SecurityHeaders = struct {
+    pub fn execute(_: *SecurityHeaders, req: *httpz.Request, res: *httpz.Response, executor: anytype) !void {
+        res.header("X-Frame-Options", "deny");
+        res.header("X-Content-Type-Options", "nosniff");
+        res.header("X-XSS-Protection", "1; mode=block");
+        res.header("Referrer-Policy", "no-referrer");
+        _ = req;
+        return executor.next();
+    }
+};
+
 fn queryHandler(db: *root.NotmuchDb, req: *httpz.Request, res: *httpz.Response) !void {
     const query = req.url.path[11..]; // Skip "/api/query/"
     if (query.len == 0) {