Skip to content

[api] Add security response headers middleware #28

Open
#49
Open
[api] Add security response headers middleware#28
#49
Labels
apiREST API servicecomplexity:lowTrivial to low efforthelp wantedExtra attention is neededphase-3Phase 3: Production HardeningsecuritySecurity hardening

Description

@yinkscss
yinkscss
opened on Jun 18, 2026

Context

Phase 3 deliverables include security headers. API responses do not set standard hardening headers.

Problem

Browser clients and security scanners flag missing X-Content-Type-Options, X-Frame-Options, and related headers.

Proposed scope

  • Add tower-http SetHeaderLayer or custom middleware
  • Set nosniff, DENY frame ancestors, referrer policy
  • HSTS header when TLS termination detected (optional env flag)

Acceptance criteria

  • Public API responses include X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY or CSP frame-ancestors
  • Headers applied without breaking JSON clients
  • Listed in security checklist as complete

References

  • crates/api/src/main.rs
  • docs/ROADMAP.md Phase 3
  • docs/security-checklist.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    apiREST API servicecomplexity:lowTrivial to low efforthelp wantedExtra attention is neededphase-3Phase 3: Production HardeningsecuritySecurity hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions