security: harden against SAST findings (criticals through mediums)

Critical:
- Validate baseURL/sourceURL/upstreamURL at config load time
  (prevents XML injection, XSS, SSRF via config/env manipulation)
- Use xml.Escape for OpenSearch XML template interpolation

High:
- Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.)
- Sanitize result URLs to reject javascript:/data: schemes
- Sanitize infobox img_src against dangerous URL schemes
- Default CORS to deny-all (was wildcard *)

Medium:
- Rate limiter: X-Forwarded-For only trusted from configured proxies
- Validate engine names against known registry allowlist
- Add 1024-char max query length
- Sanitize upstream error messages (strip raw response bodies)
- Upstream client validates URL scheme (http/https only)

Test updates:
- Update extractIP tests for new trusted proxy behavior

internal/util/validate.go

@@ -0,0 +1,123 @@
+// kafka — a privacy-respecting metasearch engine
+// Copyright (C) 2026-present metamorphosis-dev
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License,// or (at your option) any later version.
+
+package util
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+)
+
+// SafeURLScheme returns true if the URL uses an acceptable scheme (http or https).
+func SafeURLScheme(raw string) bool {
+	u, err := url.Parse(raw)
+	if err != nil {
+		return false
+	}
+	return u.Scheme == "http" || u.Scheme == "https"
+}
+
+// IsPrivateIP returns true if the IP address is in a private, loopback,
+// link-local, or otherwise non-routable range.
+func IsPrivateIP(host string) bool {
+	// Strip port if present.
+	h, _, err := net.SplitHostPort(host)
+	if err != nil {
+		h = host
+	}
+
+	// Resolve hostname to IPs.
+	ips, err := net.LookupIP(h)
+	if err != nil || len(ips) == 0 {
+		// If we can't resolve, reject to be safe.
+		return true
+	}
+
+	for _, ip := range ips {
+		if isPrivateIPAddr(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func isPrivateIPAddr(ip net.IP) bool {
+	privateRanges := []struct {
+		network *net.IPNet
+	}{
+		// Loopback
+		{mustParseCIDR("127.0.0.0/8")},
+		{mustParseCIDR("::1/128")},
+		// RFC 1918
+		{mustParseCIDR("10.0.0.0/8")},
+		{mustParseCIDR("172.16.0.0/12")},
+		{mustParseCIDR("192.168.0.0/16")},
+		// RFC 6598 (Carrier-grade NAT)
+		{mustParseCIDR("100.64.0.0/10")},
+		// Link-local
+		{mustParseCIDR("169.254.0.0/16")},
+		{mustParseCIDR("fe80::/10")},
+		// IPv6 unique local
+		{mustParseCIDR("fc00::/7")},
+		// IPv4-mapped IPv6 loopback
+		{mustParseCIDR("::ffff:127.0.0.0/104")},
+	}
+
+	for _, r := range privateRanges {
+		if r.network.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func mustParseCIDR(s string) *net.IPNet {
+	_, network, err := net.ParseCIDR(s)
+	if err != nil {
+		panic(fmt.Sprintf("validate: invalid CIDR %q: %v", s, err))
+	}
+	return network
+}
+
+// ValidatePublicURL checks that a URL is well-formed, uses http or https,
+// and does not point to a private/reserved IP range.
+func ValidatePublicURL(raw string) error {
+	u, err := url.Parse(raw)
+	if err != nil {
+		return fmt.Errorf("invalid URL: %w", err)
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return fmt.Errorf("URL must use http or https, got %q", u.Scheme)
+	}
+	if u.Host == "" {
+		return fmt.Errorf("URL must have a host")
+	}
+	if IsPrivateIP(u.Host) {
+		return fmt.Errorf("URL points to a private or reserved address: %s", u.Host)
+	}
+	return nil
+}
+
+// SanitizeResultURL ensures a URL is safe for rendering in an href attribute.
+// It rejects javascript:, data:, vbscript: and other dangerous schemes.
+func SanitizeResultURL(raw string) string {
+	if raw == "" {
+		return ""
+	}
+	u, err := url.Parse(raw)
+	if err != nil {
+		return ""
+	}
+	switch strings.ToLower(u.Scheme) {
+	case "http", "https", "":
+		return raw
+	default:
+		return ""
+	}
+}