Kyle Isom
3f09d5eb4f
- Add globalSecurityHeaders middleware wrapping root handler - Sets X-Content-Type-Options, Strict-Transport-Security, Cache-Control on all responses (API and UI) - Add tests verifying headers on /v1/health and /v1/auth/login Security: API responses previously lacked HSTS, nosniff, and cache-control headers. The new middleware applies these universally. Headers are safe for all content types and do not conflict with the UI's existing securityHeaders middleware. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
46 KiB
46 KiB