diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..ff38ecf --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-06-06 - Missing HTTP Security Headers +**Vulnerability:** The Caddyfile configuration was missing standard HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), leaving the application susceptible to clickjacking, MIME-type sniffing, and sensitive data leakage via referrers. +**Learning:** The application relies on Caddy as a reverse proxy, and by default, Caddy doesn't automatically add these specific security headers unless explicitly configured. +**Prevention:** Ensure that reverse proxy configurations in new projects or updates to existing ones explicitly include essential HTTP security headers in a global scope to protect all served content. diff --git a/Caddyfile b/Caddyfile index 5cd8f6d..2c637e5 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,30 +1,36 @@ { - auto_https off - admin off + auto_https off + admin off } :80 { - encode zstd gzip + encode zstd gzip - handle /mcp { - reverse_proxy 127.0.0.1:3001 - } + header { + X-Frame-Options "SAMEORIGIN" + X-Content-Type-Options "nosniff" + Referrer-Policy "strict-origin-when-cross-origin" + } - @app path / /api/* - handle @app { - reverse_proxy 127.0.0.1:3000 - } + handle /mcp { + reverse_proxy 127.0.0.1:3001 + } - handle { - root * /srv/public + @app path / /api/* + handle @app { + reverse_proxy 127.0.0.1:3000 + } - @html path /index.html /d/* /p/* - header @html Cache-Control "no-cache" + handle { + root * /srv/public - @assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$ - header @assets Cache-Control "public, max-age=31536000, immutable" + @html path /index.html /d/* /p/* + header @html Cache-Control "no-cache" - try_files {path} /index.html - file_server - } + @assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$ + header @assets Cache-Control "public, max-age=31536000, immutable" + + try_files {path} /index.html + file_server + } }