kych

OAuth 2.0 API for Swiyu to enable Taler integration of Swiyu for KYC (experimental)
Log | Files | Refs | README
commit 1aa236021a718960cd37e439c41f1e96ae35194e
parent 6fd2c52c2eb7c210c761e31834cd2500ff193c55
Author: Henrique Chan Carvalho Machado <henriqueccmachado@tecnico.ulisboa.pt>
Date:   Mon, 19 Jan 2026 22:16:02 +0100

Add CSP header to /authorize HTML responses

Reduces XSS impact by restricting where scripts and styles can load from.

Diffstat:

Mkych_oauth2_gateway/src/handlers.rs | 12++++++++++--


1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/kych_oauth2_gateway/src/handlers.rs b/kych_oauth2_gateway/src/handlers.rs
@@ -10,6 +10,8 @@ use serde_json::json;
 
 use crate::{crypto, db::sessions::SessionStatus, models::*, state::AppState};
 
+const HTML_CSP: &str = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
+
 fn is_safe_url(url: &str) -> bool {
     url.to_lowercase().starts_with("https://")
 }
@@ -284,7 +286,10 @@ pub async fn authorize(
 
                 return Ok((
                     StatusCode::OK,
-                    [(header::CONTENT_TYPE, "text/html; charset=utf-8")],
+                    [
+                        (header::CONTENT_TYPE, "text/html; charset=utf-8"),
+                        (header::CONTENT_SECURITY_POLICY, HTML_CSP),
+                    ],
                     html,
                 ).into_response());
             }
@@ -448,7 +453,10 @@ pub async fn authorize(
 
         return Ok((
             StatusCode::OK,
-            [(header::CONTENT_TYPE, "text/html; charset=utf-8")],
+            [
+                (header::CONTENT_TYPE, "text/html; charset=utf-8"),
+                (header::CONTENT_SECURITY_POLICY, HTML_CSP),
+            ],
             html,
         ).into_response());
     }