Security Headers Middleware

[fiandev]

Description:
Create a built-in middleware that automatically sets essential HTTP security headers on every response. This is a critical security feature that modern frameworks should provide out-of-the-box.

Proposed Headers:

• Content-Security-Policy - Prevents XSS attacks
• X-Frame-Options - Prevents clickjacking
• X-Content-Type-Options - Prevents MIME-sniffing
• X-XSS-Protection - XSS filter (legacy but still useful)
• Strict-Transport-Security (HSTS) - Enforces HTTPS
• Referrer-Policy - Controls referrer information

Proposed API:

import AppRoutes from './modules/app/AppRoutes';
import { defineBootstrap } from 'gaman';

defineBootstrap(async (app) => {
  app.mount(appRoutes, {
    security: {
      contentSecurityPolicy: "default-src 'self'",
      xFrameOptions: 'DENY',
      hsts: true, // max-age in seconds
    }
  });
})

[angga7togk]

kalau begitu di tambahin app.mountMiddleware aja

import AppRoutes from './modules/app/AppRoutes';
import { defineBootstrap } from 'gaman';

defineBootstrap(async (app) => {
  app.mountMiddleware(appRoutes, {
    security: {
      contentSecurityPolicy: "default-src 'self'",
      xFrameOptions: 'DENY',
      hsts: true, // max-age in seconds
    }
  });
})

tujuannya biar lebih spesifik dan enak di baca

atau best practice nya biar file bootstrap clean buat config didalam composeMiddleware aja

contoh:

composeMiddleware(
	(ctx, next) => {
		return next();
	},
	{
		security: {
			contentSecurityPolicy: "default-src 'self'",
			xFrameOptions: 'DENY',
			hsts: true, // max-age in seconds
		},
	},
);

tapi ini agak tricky lu harus ngubah logic pipeline di gaman core nya di file gaman.ts

[fiandev]

alrady implemented at #48