Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0
Why this matters
backend/src/app.ts:35-46 hand-sets a helmet-equivalent header set but omits Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy. Swagger UI is mounted at /api-docs and returns HTML, so the absence of a CSP leaves that page without script/style restrictions.
Acceptance criteria
Files to touch
Out of scope
- Rate limiting / CORS changes
Why this matters
backend/src/app.ts:35-46 hand-sets a helmet-equivalent header set but omits Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy. Swagger UI is mounted at /api-docs and returns HTML, so the absence of a CSP leaves that page without script/style restrictions.
Acceptance criteria
Files to touch
backend/src/app.tsOut of scope