package middleware import ( "net/http" "github.com/gin-gonic/gin" ) // SecurityHeaders 设置安全响应头中间件。 // 设置:X-Content-Type-Options: nosniff // // X-Frame-Options: DENY // Referrer-Policy: strict-origin-when-cross-origin // Strict-Transport-Security: max-age=31536000; includeSubDomains // Content-Security-Policy: default-src 'self' // 移除 Server 头 func SecurityHeaders() gin.HandlerFunc { return func(c *gin.Context) { h := c.Writer.Header() h.Set("X-Content-Type-Options", "nosniff") h.Set("X-Frame-Options", "DENY") h.Set("Referrer-Policy", "strict-origin-when-cross-origin") h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") h.Set("Content-Security-Policy", "default-src 'self'") h.Del("Server") c.Next() // 响应处理结束后再次移除 Server 头,防止处理过程中被写入 c.Writer.Header().Del("Server") } } // RequestBodyLimit 限制请求体大小中间件。 // 通过 http.MaxBytesReader 包装 Body,超限读取时返回 413。 func RequestBodyLimit(maxBytes int64) gin.HandlerFunc { return func(c *gin.Context) { c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, maxBytes) c.Next() } }