Fix security issues: error leakage, missing headers, TLS version, auth error exposure (#215)

Co-authored-by: Claude <noreply@anthropic.com>

Author: jadolg

Caddyfile

@@ -1,8 +1,11 @@
 dockerimagesave.yourdomain.org {
         reverse_proxy dockerimagesave:8080
         header Access-Control-Allow-Methods "GET, OPTIONS"
-        header Access-Control-Allow-Headers "*"
+        header Access-Control-Allow-Headers "Content-Type, Accept, Range, Content-Disposition"
         header Access-Control-Allow-Origin "*"
+        header X-Content-Type-Options "nosniff"
+        header X-Frame-Options "DENY"
+        header Referrer-Policy "strict-origin-when-cross-origin"
         log {
                 output file /logs/access.log {
                         roll_size 1gb

registry.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -10,6 +11,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	log "github.com/sirupsen/logrus"
 )
 
 const bearerPrefix = "Bearer "
@@ -127,7 +130,14 @@ func ParseImageReference(ref string) ImageReference {
 // NewRegistryClient creates a new registry client
 func NewRegistryClient() *RegistryClient {
 	return &RegistryClient{
-		httpClient: &http.Client{Timeout: 300 * time.Second},
+		httpClient: &http.Client{
+			Timeout: 300 * time.Second,
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					MinVersion: tls.VersionTLS12,
+				},
+			},
+		},
 	}
 }
 
@@ -217,7 +227,8 @@ func (c *RegistryClient) fetchToken(realm, service, scope string, creds Registry
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
-		return "", fmt.Errorf("authentication failed: %d - %s", resp.StatusCode, string(body))
+		log.WithField("response_body", string(body)).WithField("status_code", resp.StatusCode).Debug("Authentication request failed")
+		return "", fmt.Errorf("authentication failed with status %d", resp.StatusCode)
 	}
 
 	var tokenResp struct {

server.go

@@ -153,7 +153,7 @@ func (s *Server) imageHandler(w http.ResponseWriter, r *http.Request) {
 			"image": imageName,
 		}).WithError(err).Error("Failed to download image")
 		errorsTotalMetric.Inc()
-		writeJSONError(w, fmt.Sprintf("failed to download image: %v", err), http.StatusInternalServerError)
+		writeJSONError(w, "failed to download image", http.StatusInternalServerError)
 		return
 	}
 	imagePath := result.(string)
@@ -171,7 +171,7 @@ func (s *Server) platformsHandler(w http.ResponseWriter, r *http.Request) {
 	platforms, err := GetImagePlatforms(imageName)
 	if err != nil {
 		log.WithField("image", imageName).WithError(err).Error("Failed to get platforms")
-		writeJSONError(w, fmt.Sprintf("failed to get platforms: %v", err), http.StatusInternalServerError)
+		writeJSONError(w, "failed to get platforms", http.StatusInternalServerError)
 		return
 	}
 	if platforms == nil {