chore: Fix golangci-lint 2.12.1 findings (#7690)

modules/caddyhttp/fileserver/browse.go

@@ -281,7 +281,13 @@ func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Re
 			sortParam = sortCookie.Value
 		}
 	case sortByName, sortByNameDirFirst, sortBySize, sortByTime:
-		http.SetCookie(w, &http.Cookie{Name: "sort", Value: sortParam, Secure: r.TLS != nil})
+		http.SetCookie(w, &http.Cookie{ //nolint:gosec // Secure depends on whether the request itself used TLS
+			Name:     "sort",
+			Value:    sortParam,
+			Secure:   r.TLS != nil,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+		})
 	}
 
 	// then figure out the order
@@ -292,7 +298,13 @@ func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Re
 			orderParam = orderCookie.Value
 		}
 	case sortOrderAsc, sortOrderDesc:
-		http.SetCookie(w, &http.Cookie{Name: "order", Value: orderParam, Secure: r.TLS != nil})
+		http.SetCookie(w, &http.Cookie{ //nolint:gosec // Secure depends on whether the request itself used TLS
+			Name:     "order",
+			Value:    orderParam,
+			Secure:   r.TLS != nil,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+		})
 	}
 
 	// finally, apply the sorting and limiting

modules/caddyhttp/fileserver/staticfiles.go

@@ -785,7 +785,7 @@ func redirect(w http.ResponseWriter, r *http.Request, toPath string) error {
 	if r.URL.RawQuery != "" {
 		toPath += "?" + r.URL.RawQuery
 	}
-	http.Redirect(w, r, toPath, http.StatusPermanentRedirect)
+	http.Redirect(w, r, toPath, http.StatusPermanentRedirect) //nolint:gosec // toPath is a same-origin path and leading // is stripped above
 	return nil
 }
 

modules/caddyhttp/reverseproxy/selectionpolicies.go

@@ -664,10 +664,12 @@ func (s CookieHashSelection) Select(pool UpstreamPool, req *http.Request, w http
 			return upstream
 		}
 		cookie := &http.Cookie{
-			Name:   s.Name,
-			Value:  sha,
-			Path:   "/",
-			Secure: false,
+			Name:     s.Name,
+			Value:    sha,
+			Path:     "/",
+			Secure:   false,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
 		}
 		isProxyHttps := false
 		if trusted, ok := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool); ok && trusted {

modules/caddyhttp/routes.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 
 	"github.com/caddyserver/caddy/v2"
@@ -241,8 +242,8 @@ func (routes RouteList) Compile(next Handler) Handler {
 		mid = append(mid, wrapRoute(route))
 	}
 	stack := next
-	for i := len(mid) - 1; i >= 0; i-- {
-		stack = mid[i](stack)
+	for _, middleware := range slices.Backward(mid) {
+		stack = middleware(stack)
 	}
 	return stack
 }
@@ -305,8 +306,8 @@ func wrapRoute(route Route) Middleware {
 			}
 
 			// compile this route's handler stack
-			for i := len(route.middleware) - 1; i >= 0; i-- {
-				nextCopy = route.middleware[i](nextCopy)
+			for _, middleware := range slices.Backward(route.middleware) {
+				nextCopy = middleware(nextCopy)
 			}
 
 			// Apply metrics instrumentation once for the entire route,

modules/caddyhttp/server.go

@@ -1085,11 +1085,11 @@ func strictUntrustedClientIp(r *http.Request, headers []string, trusted []netip.
 	for _, headerName := range headers {
 		parts := strings.Split(strings.Join(r.Header.Values(headerName), ","), ",")
 
-		for i := len(parts) - 1; i >= 0; i-- {
+		for _, part := range slices.Backward(parts) {
 			// Some proxies may retain the port number, so split if possible
-			host, _, err := net.SplitHostPort(parts[i])
+			host, _, err := net.SplitHostPort(part)
 			if err != nil {
-				host = parts[i]
+				host = part
 			}
 
 			// Remove any zone identifier from the IP address