Skip to content

feat: add security headers to all responses#305

Open
allamiro wants to merge 1 commit into
lixmal:masterfrom
allamiro:feat/security-headers
Open

feat: add security headers to all responses#305
allamiro wants to merge 1 commit into
lixmal:masterfrom
allamiro:feat/security-headers

Conversation

@allamiro

@allamiro allamiro commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Fixes #279.

Change

Adds DefaultHeaders middleware setting on every response:

  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: no-referrer

The middleware is registered last (= outermost in actix's reverse wrap order), which matters: responses short-circuited by the auth middleware would otherwise bypass it — verified during testing.

Content-Security-Policy is deliberately left out for now: embed_in_index injects an inline <script> into the index page, so a meaningful CSP needs frontend changes first (nonce or postMessage approach). Can be tracked separately.

Testing

  • cargo test: 9/9 pass
  • Live verification with curl: all three headers present on a short-circuited 401 (the case the naive middleware ordering misses)

Summary by cubic

Add default security headers to all HTTP responses using actix_web DefaultHeaders. Middleware is registered outermost so short-circuited responses also include them; CSP is deferred due to an inline script in the index.

  • New Features
    • Add X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer on every response.
    • Register DefaultHeaders last to cover auth 401s and other short-circuits.

Written for commit 4c4b0f2. Summary will update on new commits.

Review in cubic

X-Frame-Options: DENY, X-Content-Type-Options: nosniff and
Referrer-Policy: no-referrer via DefaultHeaders middleware, registered
outermost so even short-circuited responses (auth middleware 401s)
carry them. CSP is left out for now since the index page relies on
inline script injection.
@allamiro allamiro force-pushed the feat/security-headers branch from 4c4b0f2 to 9428184 Compare June 13, 2026 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Missing security headers (CSP, X-Frame-Options, X-Content-Type-Options)

1 participant