From 887d3776b80d8987343fb92547f029278efa1eb6 Mon Sep 17 00:00:00 2001 From: ruinivist <179396038+ruinivist@users.noreply.github.com> Date: Mon, 1 Jun 2026 07:41:22 +0000 Subject: [PATCH] feat: add security headers to caddyfile --- .jules/sentinel.md | 4 ++++ Caddyfile | 6 ++++++ 2 files changed, 10 insertions(+) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..fb5f5f8 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-06-01 - [Missing Security Headers] +**Vulnerability:** The web application served by Caddy was missing essential security headers, making it more vulnerable to Clickjacking and MIME-sniffing attacks. +**Learning:** Security headers should be explicitly configured in the reverse proxy/web server (Caddy in this case) since they are not typically added by default application servers or front-end frameworks. +**Prevention:** Always ensure standard security headers (`X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, etc.) are configured globally in the Caddyfile or equivalent web server configuration for all incoming requests. diff --git a/Caddyfile b/Caddyfile index af2a42a..85d3d15 100644 --- a/Caddyfile +++ b/Caddyfile @@ -6,6 +6,12 @@ :80 { encode zstd gzip + header { + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin-when-cross-origin" + } + @mcp path /mcp handle @mcp { reverse_proxy 127.0.0.1:3001