fix(security): mitigate reflected XSS on /metrics endpoint

CodeQL go/reflected-xss (high) flagged a data flow from HTTP request
into the metrics response body via Prometheus label values (e.g. path
or user-agent histogram labels).

Force a text/plain Content-Type and X-Content-Type-Options: nosniff in
the scrape limiter wrapper before the downstream handler writes any
bytes. Downstream promhttp may refine the Content-Type to the
Prometheus exposition variant, but the response can no longer be
MIME-sniffed as HTML by a browser.

Apply the same headers to the 429 Too Many Requests path.

Lock the behavior in with a TestScrapeLimiter_SecurityHeaders test
covering both success and rate-limited responses.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: rickcrawford

internal/observe/metric/scrape_limiter.go

@@ -40,6 +40,14 @@ func NewScrapeLimiter(minInterval time.Duration, maxBodySize int64) *ScrapeLimit
 // Wrap wraps an http.Handler with rate limiting for the /metrics endpoint.
 // Requests arriving before minInterval has elapsed since the last scrape receive
 // a 429 Too Many Requests response with a Retry-After header.
+//
+// Security: Prometheus metric labels can echo user-controlled data (e.g. request
+// path or user agent from histogram labels). To neutralize any reflected-XSS
+// risk if the response body is ever rendered as HTML, Wrap forces
+// X-Content-Type-Options: nosniff and a text/plain Content-Type before the
+// downstream handler writes any bytes. The downstream handler may still refine
+// the Content-Type (e.g. to Prometheus' exposition format with a charset), but
+// browsers will no longer MIME-sniff HTML out of this response.
 func (sl *ScrapeLimiter) Wrap(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		sl.mu.Lock()
@@ -52,6 +60,8 @@ func (sl *ScrapeLimiter) Wrap(next http.Handler) http.Handler {
 
 			retrySeconds := int(retryAfter.Seconds()) + 1
 			w.Header().Set("Retry-After", fmt.Sprintf("%d", retrySeconds))
+			w.Header().Set("X-Content-Type-Options", "nosniff")
+			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 			http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
 			return
 		}
@@ -60,6 +70,12 @@ func (sl *ScrapeLimiter) Wrap(next http.Handler) http.Handler {
 		maxBody := sl.maxBodySize
 		sl.mu.Unlock()
 
+		// Lock the response to plain text before the wrapped handler writes
+		// anything. This prevents any metric-label content from being
+		// interpreted as HTML by browsers (CodeQL go/reflected-xss).
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+
 		if maxBody > 0 {
 			lrw := &limitedResponseWriter{
 				ResponseWriter: w,

internal/observe/metric/scrape_limiter_test.go

@@ -228,3 +228,53 @@ func TestScrapeLimiter_RetryAfterHeader(t *testing.T) {
 		t.Errorf("expected Retry-After ~30, got %q", retryAfter)
 	}
 }
+
+// TestScrapeLimiter_SecurityHeaders verifies that the wrapper forces a
+// non-HTML Content-Type and nosniff so Prometheus label values cannot be
+// interpreted as HTML by a browser (mitigates CodeQL go/reflected-xss).
+func TestScrapeLimiter_SecurityHeaders(t *testing.T) {
+	t.Run("success response has nosniff and text/plain", func(t *testing.T) {
+		sl := NewScrapeLimiter(1*time.Second, 0)
+		handler := sl.Wrap(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Attempt to set an HTML content type from the wrapped handler;
+			// the wrapper's early Set is what guards against label-based XSS,
+			// but legitimate downstream handlers may still refine to a more
+			// specific text/plain variant (e.g. Prometheus exposition format).
+			_, _ = w.Write([]byte(`<script>alert(1)</script>`))
+		}))
+
+		req := httptest.NewRequest(http.MethodGet, "/metrics", nil)
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if got := rr.Header().Get("X-Content-Type-Options"); got != "nosniff" {
+			t.Errorf("expected X-Content-Type-Options=nosniff, got %q", got)
+		}
+		if got := rr.Header().Get("Content-Type"); !strings.HasPrefix(got, "text/plain") {
+			t.Errorf("expected text/plain Content-Type, got %q", got)
+		}
+	})
+
+	t.Run("rate-limited response also has security headers", func(t *testing.T) {
+		sl := NewScrapeLimiter(30*time.Second, 0)
+		handler := sl.Wrap(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = w.Write([]byte("ok"))
+		}))
+
+		// Prime the limiter, then hit it again immediately.
+		handler.ServeHTTP(httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/metrics", nil))
+
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/metrics", nil))
+
+		if rr.Code != http.StatusTooManyRequests {
+			t.Fatalf("expected 429, got %d", rr.Code)
+		}
+		if got := rr.Header().Get("X-Content-Type-Options"); got != "nosniff" {
+			t.Errorf("expected X-Content-Type-Options=nosniff on 429, got %q", got)
+		}
+		if got := rr.Header().Get("Content-Type"); !strings.HasPrefix(got, "text/plain") {
+			t.Errorf("expected text/plain Content-Type on 429, got %q", got)
+		}
+	})
+}