Merge SEC-10: add Permissions-Policy header

internal/ui/ui.go

@@ -564,6 +564,9 @@ func noDirListing(next http.Handler) http.Handler {
 //     requests to this origin for two years, preventing TLS-strip on revisit.
 //   - Referrer-Policy: suppresses the Referer header on outbound navigations so
 //     JWTs or session identifiers embedded in URLs are not leaked to third parties.
+//   - Permissions-Policy: disables browser features (camera, microphone,
+//     geolocation, payment) that this application does not use, reducing the
+//     attack surface if a content-injection vulnerability is exploited.
 func securityHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		h := w.Header()
@@ -573,6 +576,7 @@ func securityHeaders(next http.Handler) http.Handler {
 		h.Set("X-Frame-Options", "DENY")
 		h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
 		h.Set("Referrer-Policy", "no-referrer")
+		h.Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()")
 		next.ServeHTTP(w, r)
 	})
 }

internal/ui/ui_test.go

@@ -79,6 +79,7 @@ func assertSecurityHeaders(t *testing.T, h http.Header, label string) {
 		{"X-Frame-Options", "DENY"},
 		{"Strict-Transport-Security", "max-age="},
 		{"Referrer-Policy", "no-referrer"},
+		{"Permissions-Policy", "camera=()"},
 	}
 	for _, c := range checks {
 		val := h.Get(c.header)