From 10ee988ce2f0456fa8a98c978b8c405caeba2182 Mon Sep 17 00:00:00 2001 From: ruinivist <179396038+ruinivist@users.noreply.github.com> Date: Fri, 5 Jun 2026 08:20:05 +0000 Subject: [PATCH] feat: add http security headers to caddy config Adds X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers to all responses served by Caddy to mitigate clickjacking and MIME-type sniffing. --- .jules/sentinel.md | 4 ++++ Caddyfile | 6 ++++++ 2 files changed, 10 insertions(+) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..621b011 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2025-02-28 - Caddy HTTP Security Headers Configuration +**Vulnerability:** The application was missing basic security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), increasing exposure to clickjacking and MIME-sniffing attacks. +**Learning:** Security posture isn't just about application-level code. The reverse proxy (Caddy) configuration serves as the first line of defense and is the correct layer to enforce global HTTP response headers. +**Prevention:** Always verify that the reverse proxy layer enforces foundational HTTP security headers instead of relying solely on the application code to handle response security. diff --git a/Caddyfile b/Caddyfile index 5cd8f6d..cdb0256 100644 --- a/Caddyfile +++ b/Caddyfile @@ -6,6 +6,12 @@ :80 { encode zstd gzip + header { + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin-when-cross-origin" + } + handle /mcp { reverse_proxy 127.0.0.1:3001 }