diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..2fbebc7 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,5 @@ +## 2025-06-07 - [Added Security Headers via Caddy] + +**Vulnerability:** Missing HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy). +**Learning:** The application does not apply security headers in the Bun application server but instead relies on the Caddy reverse proxy to inject them in the `Caddyfile`. +**Prevention:** Always configure security headers at the reverse proxy level (`Caddyfile`) instead of within the backend API routing code to ensure all routes, including static files, are properly protected. diff --git a/Caddyfile b/Caddyfile index 5cd8f6d..55dbf52 100644 --- a/Caddyfile +++ b/Caddyfile @@ -6,6 +6,12 @@ :80 { encode zstd gzip + header { + X-Frame-Options "SAMEORIGIN" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin-when-cross-origin" + } + handle /mcp { reverse_proxy 127.0.0.1:3001 }