fix: 修复了存在的XSS跨站攻击

Author: liueic

backend/internal/app/chat.go

@@ -99,11 +99,7 @@ func (s *Server) handleChat(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if stream {
-		contentType := response.Header.Get("Content-Type")
-		if contentType == "" {
-			contentType = "text/event-stream; charset=utf-8"
-		}
-		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Content-Type", "text/event-stream; charset=utf-8")
 		w.Header().Set("Cache-Control", "no-cache, no-transform")
 		w.Header().Set("Connection", "keep-alive")
 		w.Header().Set("X-Accel-Buffering", "no")
@@ -117,11 +113,7 @@ func (s *Server) handleChat(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	contentType := response.Header.Get("Content-Type")
-	if contentType == "" {
-		contentType = "application/json; charset=utf-8"
-	}
-	w.Header().Set("Content-Type", contentType)
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	w.WriteHeader(http.StatusOK)
 	_, _ = io.Copy(w, response.Body)
 }

backend/internal/app/server.go

@@ -57,6 +57,7 @@ func (s *Server) withLogging(route string, next http.HandlerFunc) http.HandlerFu
 		r = ensureRequestContext(r)
 		requestID := requestIDFromContext(r.Context())
 		w.Header().Set("X-Request-Id", requestID)
+		w.Header().Set("X-Content-Type-Options", "nosniff")
 
 		startedAt := time.Now()
 		recorder := &responseRecorder{

backend/internal/app/server_integration_test.go

@@ -69,7 +69,7 @@ func TestHandleChat_ProxiesSSE(t *testing.T) {
 		t.Fatalf("unexpected status: %d", response.StatusCode)
 	}
 	assertHeader(t, response.Header, "Access-Control-Allow-Origin", "http://frontend.test")
-	assertHeader(t, response.Header, "Content-Type", "text/event-stream")
+	assertHeader(t, response.Header, "Content-Type", "text/event-stream; charset=utf-8")
 	assertHeader(t, response.Header, "Cache-Control", "no-cache, no-transform")
 	assertHeader(t, response.Header, "X-Accel-Buffering", "no")