From the post-#121 security audit.
Severity: nit
File(s): server/server.js
Why: server doesn't set X-Frame-Options, X-Content-Type-Options, or CSP. Railway terminates TLS and may set some at the edge, but defense-in-depth at the app layer is cheap.
Suggestion: drop app.use(helmet()) after the CORS middleware. No CSP customisation needed since the server only serves JSON, not HTML.
🤖 Generated with Claude Code
From the post-#121 security audit.
Severity: nit
File(s):
server/server.jsWhy: server doesn't set
X-Frame-Options,X-Content-Type-Options, or CSP. Railway terminates TLS and may set some at the edge, but defense-in-depth at the app layer is cheap.Suggestion: drop
app.use(helmet())after the CORS middleware. No CSP customisation needed since the server only serves JSON, not HTML.🤖 Generated with Claude Code