diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..621b011 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2025-02-28 - Caddy HTTP Security Headers Configuration +**Vulnerability:** The application was missing basic security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), increasing exposure to clickjacking and MIME-sniffing attacks. +**Learning:** Security posture isn't just about application-level code. The reverse proxy (Caddy) configuration serves as the first line of defense and is the correct layer to enforce global HTTP response headers. +**Prevention:** Always verify that the reverse proxy layer enforces foundational HTTP security headers instead of relying solely on the application code to handle response security. diff --git a/Caddyfile b/Caddyfile index 5cd8f6d..cdb0256 100644 --- a/Caddyfile +++ b/Caddyfile @@ -6,6 +6,12 @@ :80 { encode zstd gzip + header { + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin-when-cross-origin" + } + handle /mcp { reverse_proxy 127.0.0.1:3001 }