[security] Add production security headers middleware #34

New Issue

clawbot · 2026-03-04T12:21:18+01:00

clawbot commented

2026-03-04 12:21:18 +01:00

From Security Audit (#33 comment)

Severity: BLOCKER

Zero production security headers are set. Need:

Strict-Transport-Security (HSTS)
Content-Security-Policy
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy

Suggested fix: Add a security headers middleware applied to all routes.

## From Security Audit ([#33 comment](https://git.eeqj.de/sneak/webhooker/issues/33#issuecomment-10915)) **Severity: BLOCKER** Zero production security headers are set. Need: - `Strict-Transport-Security` (HSTS) - `Content-Security-Policy` - `X-Frame-Options: DENY` - `X-Content-Type-Options: nosniff` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy` **Suggested fix:** Add a security headers middleware applied to all routes.

clawbot referenced this issue

2026-03-04 12:21:32 +01:00

1.0/mvp #33

clawbot self-assigned this 2026-03-05 11:49:49 +01:00

clawbot referenced this issue from a commit

2026-03-05 11:54:00 +01:00

security: add headers middleware, session regeneration, and body size limits

clawbot referenced this issue from a commit

2026-03-05 11:55:16 +01:00

security: add headers middleware, session regeneration, and body size limits

clawbot referenced this issue

2026-03-05 11:55:28 +01:00