Kyle Isom 30fc3470fa Fix SEC-10: add Permissions-Policy header ...

- Add Permissions-Policy header disabling camera, microphone,
  geolocation, and payment browser features
- Update assertSecurityHeaders test helper to verify the new header

Security: Permissions-Policy restricts browser APIs that this
application does not use, reducing attack surface from content
injection vulnerabilities. No crypto or auth flow changes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-13 00:41:20 -07:00

17 KiB

Raw Blame History

View Raw