From 30fc3470faac1aec05c0a8904452ebe4eb7c8677 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Fri, 13 Mar 2026 00:41:20 -0700 Subject: [PATCH] Fix SEC-10: add Permissions-Policy header - Add Permissions-Policy header disabling camera, microphone, geolocation, and payment browser features - Update assertSecurityHeaders test helper to verify the new header Security: Permissions-Policy restricts browser APIs that this application does not use, reducing attack surface from content injection vulnerabilities. No crypto or auth flow changes. Co-Authored-By: Claude Opus 4.6 --- internal/ui/ui.go | 4 ++++ internal/ui/ui_test.go | 1 + 2 files changed, 5 insertions(+) diff --git a/internal/ui/ui.go b/internal/ui/ui.go index d6d13b0..ee942f3 100644 --- a/internal/ui/ui.go +++ b/internal/ui/ui.go @@ -545,6 +545,9 @@ const maxFormBytes = 1 << 20 // requests to this origin for two years, preventing TLS-strip on revisit. // - Referrer-Policy: suppresses the Referer header on outbound navigations so // JWTs or session identifiers embedded in URLs are not leaked to third parties. +// - Permissions-Policy: disables browser features (camera, microphone, +// geolocation, payment) that this application does not use, reducing the +// attack surface if a content-injection vulnerability is exploited. func securityHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { h := w.Header() @@ -554,6 +557,7 @@ func securityHeaders(next http.Handler) http.Handler { h.Set("X-Frame-Options", "DENY") h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains") h.Set("Referrer-Policy", "no-referrer") + h.Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()") next.ServeHTTP(w, r) }) } diff --git a/internal/ui/ui_test.go b/internal/ui/ui_test.go index 7b48050..c23b026 100644 --- a/internal/ui/ui_test.go +++ b/internal/ui/ui_test.go @@ -79,6 +79,7 @@ func assertSecurityHeaders(t *testing.T, h http.Header, label string) { {"X-Frame-Options", "DENY"}, {"Strict-Transport-Security", "max-age="}, {"Referrer-Policy", "no-referrer"}, + {"Permissions-Policy", "camera=()"}, } for _, c := range checks { val := h.Get(c.header)