Skip to content

security: add baseline response headers#179

Open
es3298 wants to merge 1 commit into
StableRoute-Org:mainfrom
es3298:security/baseline-response-headers-112
Open

security: add baseline response headers#179
es3298 wants to merge 1 commit into
StableRoute-Org:mainfrom
es3298:security/baseline-response-headers-112

Conversation

@es3298

@es3298 es3298 commented Jul 5, 2026

Copy link
Copy Markdown

Summary

  • add all-route baseline security headers through next.config.ts
  • document the purpose of each header in the README
  • add a Jest config test that asserts the catch-all route and exact header values

Closes #112

Header rationale

  • X-Content-Type-Options: nosniff reduces MIME-sniffing risk for dashboard responses.
  • Referrer-Policy: strict-origin-when-cross-origin avoids leaking full dashboard URLs to cross-origin destinations.
  • X-Frame-Options: DENY prevents clickjacking-style embedding of the operator console.
  • Permissions-Policy: camera=(), microphone=(), geolocation=() disables browser capabilities the app does not use.

Validation

  • npm test -- src/__tests__/nextConfigHeaders.test.ts --runInBand
  • npm test -- src/__tests__/nextConfigHeaders.test.ts --runInBand --coverage --collectCoverageFrom=next.config.ts
    • next.config.ts: 100% statements, 100% branches, 100% functions, 100% lines
  • npm run lint
  • git diff --check
  • curl.exe -I http://localhost:3020/
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: DENY
Permissions-Policy: camera=(), microphone=(), geolocation=()

Notes

  • npm run build is still blocked by the existing upstream src/app/quote/Client.tsx assetsDiffer type error.
  • npm test -- --runInBand is still blocked by existing upstream assetsDiffer quote test failures and the existing theme storage no-op expectation failure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Referrer-Policy, Permissions-Policy, and X-Content-Type-Options headers via next.config

2 participants