- Add globalSecurityHeaders middleware wrapping root handler
- Sets X-Content-Type-Options, Strict-Transport-Security, Cache-Control
on all responses (API and UI)
- Add tests verifying headers on /v1/health and /v1/auth/login
Security: API responses previously lacked HSTS, nosniff, and
cache-control headers. The new middleware applies these universally.
Headers are safe for all content types and do not conflict with
the UI's existing securityHeaders middleware.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Kyle Isom
3f09d5eb4f