fix: CxONE findings

[cb80]

What this PR does / why we need it:

Special notes for your reviewer:

Release note:

Summary by CodeRabbit

• Security Improvements

  • Implemented enhanced HTTP security headers with Content-Security-Policy directives to prevent content injection attacks, protect against unauthorized framing, and restrict form submissions to approved sources.

• Chores

  • Updated linting configuration.

[coderabbitai]

Walkthrough

The PR adds security hardening to the HTTP server by wrapping it with a middleware that applies Content-Security-Policy headers, and updates the linter configuration to disable the gomodguard linter check.

Changes

Security Configuration and Headers

Layer / File(s)	Summary
Disable module guard linter .golangci.yaml	gomodguard is added to the linters.disable list in golangci-lint configuration.
Security headers middleware integration internal/business/server/http_server.go	HTTP server handler is wrapped with SecurityHeadersMiddleware, configured with a restrictive Content-Security-Policy that blocks default content, prevents frame embedding, disables base tag processing, and restricts form submissions.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description contains only template placeholders without any actual content, special notes, or release notes filled in by the author.	Fill in the template sections with actual details: explain what CxONE findings were addressed, describe the security header changes, and specify the release note (or 'NONE' if not applicable).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: CxONE findings' refers to addressing CxONE security findings, which aligns with the changes made (adding security headers middleware and updating linter config for security purposes).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch httpHeaders

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.golangci.yaml:
- Line 31: Re-enable gomodguard in .golangci.yaml (remove or undo the entry that
disables "gomodguard") unless you can add a clear, documented justification for
disabling it; if you choose to keep it disabled instead, add an alternative
dependency allow/block enforcement and document it in the repo (for example: a
COMPANY_DEPENDENCY_POLICY.md describing how dependencies are approved, or a CI
check that validates an allowlist) and reference the specific dependency usage
in internal/business/server/http_server.go (middleware.SecurityHeadersMiddleware
from github.com/openkcm/common-sdk) to show why the exception is needed. Ensure
the change either re-enables "gomodguard" or commits the justification and
alternative enforcement so supply-chain dependency validation is preserved.

In `@internal/business/server/http_server.go`:
- Around line 55-57: Add unit tests that exercise the
SecurityHeadersMiddleware-wrapped handler: create a server via
createHTTPServer(context.Background(), cfg), send an httptest request to an
existing endpoint (e.g., "/health") using server.Handler.ServeHTTP, and assert
that the "Content-Security-Policy" header exists and equals "default-src 'none';
frame-ancestors 'none'; base-uri 'none'; form-action 'none';"; also assert the
original handler behavior (status code/body) is unchanged to ensure middleware
does not interfere. Use a test file (e.g., http_server_test.go) and reference
middleware.SecurityHeadersMiddleware, createHTTPServer, and server.Handler in
the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ed49b9d9-a64e-49ae-b8dc-53a5ba24f5c8

📥 Commits

Reviewing files that changed from the base of the PR and between 85be2c2 and fd27e2c.

📒 Files selected for processing (2)

• .golangci.yaml
• internal/business/server/http_server.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for gomodguard configuration and verify the middleware package

# Look for gomodguard configuration files
echo "=== Searching for gomodguard configuration ==="
fd -t f -e yaml -e yml -e toml | xargs rg -l "gomodguard" 2>/dev/null || echo "No gomodguard config found"

# Check if common-sdk is referenced in any allow/block lists
echo -e "\n=== Checking for common-sdk in config files ==="
rg -i "common-sdk|openkcm" -g "*.{yaml,yml,toml}" -C 3

# Verify the middleware package is actually used
echo -e "\n=== Verifying middleware.SecurityHeadersMiddleware usage ==="
rg -n "SecurityHeadersMiddleware" --type go

# Check go.mod for the dependency version
echo -e "\n=== Checking go.mod for common-sdk version ==="
rg "github.com/openkcm/common-sdk" go.mod

Repository: openkcm/checker

Length of output: 2735

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .golangci.yaml lines 1-80 ==="
nl -ba .golangci.yaml | sed -n '1,80p'

echo -e "\n=== Search for gomodguard in .golangci.yaml ==="
rg -n "gomodguard" .golangci.yaml

echo -e "\n=== Any other gomodguard config files (yaml/yml/toml) ==="
fd -t f -e yaml -e yml -e toml . | xargs -r rg -l "gomodguard" || true

echo -e "\n=== Confirm common-sdk + middleware usage ==="
rg -n "openkcm/common-sdk|pkg/middleware|SecurityHeadersMiddleware" --glob '*.go'

echo -e "\n=== go.mod entry for common-sdk ==="
rg -n "github.com/openkcm/common-sdk" go.mod

Repository: openkcm/checker

Length of output: 154

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .golangci.yaml (first 120 lines with line numbers) ==="
cat -n .golangci.yaml | sed -n '1,120p'

echo -e "\n=== Search for gomodguard in .golangci.yaml ==="
rg -n "gomodguard" .golangci.yaml || true

echo -e "\n=== Any other gomodguard config files (yaml/yml/toml) ==="
fd -t f -e yaml -e yml -e toml . | xargs -r rg -l "gomodguard" || true

echo -e "\n=== Confirm common-sdk + middleware usage ==="
rg -n "openkcm/common-sdk|pkg/middleware|SecurityHeadersMiddleware" --glob '*.go' || true

echo -e "\n=== go.mod entry for common-sdk ==="
rg -n "github.com/openkcm/common-sdk" go.mod || true

Repository: openkcm/checker

Length of output: 4032

---

Re-enable (or justify disabling) gomodguard to keep dependency allow/block enforcement

.golangci.yaml disables gomodguard (linters.disable: - gomodguard), and no other repo gomodguard configuration was found—so allow/block dependency validation won’t run. This removes supply-chain controls for the github.com/openkcm/common-sdk dependency used via middleware.SecurityHeadersMiddleware in internal/business/server/http_server.go.

Provide a concrete justification for disabling gomodguard and/or add an alternative dependency enforcement mechanism; otherwise re-enable it.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.golangci.yaml at line 31, Re-enable gomodguard in .golangci.yaml (remove or
undo the entry that disables "gomodguard") unless you can add a clear,
documented justification for disabling it; if you choose to keep it disabled
instead, add an alternative dependency allow/block enforcement and document it
in the repo (for example: a COMPANY_DEPENDENCY_POLICY.md describing how
dependencies are approved, or a CI check that validates an allowlist) and
reference the specific dependency usage in
internal/business/server/http_server.go (middleware.SecurityHeadersMiddleware
from github.com/openkcm/common-sdk) to show why the exception is needed. Ensure
the change either re-enables "gomodguard" or commits the justification and
alternative enforcement so supply-chain dependency validation is preserved.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add tests to verify security headers are applied correctly.

The security middleware integration lacks test coverage. Add tests to verify:

1. The CSP header is present in all responses
2. The header value matches the expected policy
3. The middleware doesn't interfere with existing handler behavior

🧪 Example test structure

Add to your test file (e.g., http_server_test.go):

func TestSecurityHeadersApplied(t *testing.T) {
    cfg := &config.Config{
        Server: config.ServerConfig{Address: ":8080"},
        Healthcheck: config.HealthcheckConfig{Enabled: true, Endpoint: "/health"},
    }
    
    server := createHTTPServer(context.Background(), cfg)
    
    req := httptest.NewRequest("GET", "/health", nil)
    w := httptest.NewRecorder()
    
    server.Handler.ServeHTTP(w, req)
    
    csp := w.Header().Get("Content-Security-Policy")
    expectedCSP := "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none';"
    
    if csp != expectedCSP {
        t.Errorf("Expected CSP %q, got %q", expectedCSP, csp)
    }
}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/business/server/http_server.go` around lines 55 - 57, Add unit tests
that exercise the SecurityHeadersMiddleware-wrapped handler: create a server via
createHTTPServer(context.Background(), cfg), send an httptest request to an
existing endpoint (e.g., "/health") using server.Handler.ServeHTTP, and assert
that the "Content-Security-Policy" header exists and equals "default-src 'none';
frame-ancestors 'none'; base-uri 'none'; form-action 'none';"; also assert the
original handler behavior (status code/body) is unchanged to ensure middleware
does not interfere. Use a test file (e.g., http_server_test.go) and reference
middleware.SecurityHeadersMiddleware, createHTTPServer, and server.Handler in
the test.