diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..fb5f5f8 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-06-01 - [Missing Security Headers] +**Vulnerability:** The web application served by Caddy was missing essential security headers, making it more vulnerable to Clickjacking and MIME-sniffing attacks. +**Learning:** Security headers should be explicitly configured in the reverse proxy/web server (Caddy in this case) since they are not typically added by default application servers or front-end frameworks. +**Prevention:** Always ensure standard security headers (`X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, etc.) are configured globally in the Caddyfile or equivalent web server configuration for all incoming requests. diff --git a/Caddyfile b/Caddyfile index af2a42a..85d3d15 100644 --- a/Caddyfile +++ b/Caddyfile @@ -6,6 +6,12 @@ :80 { encode zstd gzip + header { + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin-when-cross-origin" + } + @mcp path /mcp handle @mcp { reverse_proxy 127.0.0.1:3001