From 6be01ea81f5206c4f706dcd199322bbd9ceb02be Mon Sep 17 00:00:00 2001 From: user Date: Tue, 10 Mar 2026 18:07:18 -0700 Subject: [PATCH] =?UTF-8?q?fix:=20clarify=20TLS=20policy=20=E2=80=94=20ser?= =?UTF-8?q?vices=20never=20terminate=20TLS=20directly?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Our services always sit behind a TLS-terminating reverse proxy and listen on plain HTTP. Updated the TLS subsection to state this as policy rather than presenting it as one of two options. --- prompts/REPO_POLICIES.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/prompts/REPO_POLICIES.md b/prompts/REPO_POLICIES.md index 635c6df..d7c9826 100644 --- a/prompts/REPO_POLICIES.md +++ b/prompts/REPO_POLICIES.md @@ -179,9 +179,10 @@ style conventions are in separate documents: or other implementation details to the client. Return generic error messages in production; detailed errors only when `DEBUG` is enabled. - **TLS:** - - The service itself may terminate TLS or sit behind a TLS-terminating - reverse proxy, but HSTS headers and secure cookie flags must be set - regardless so that the browser enforces HTTPS. + - Services never terminate TLS directly. They are always deployed behind + a TLS-terminating reverse proxy. The service itself listens on plain + HTTP. However, HSTS headers and `Secure` cookie flags must still be + set by the application so that the browser enforces HTTPS end-to-end. This list is non-exhaustive. Apply defense-in-depth: if a standard security hardening measure exists for HTTP services and is not listed here, it is