Skip to content

[Security] Hand-rolled security headers omit Content-Security-Policy, COOP and CORP; /api-docs serves HTML with no CSP #821

Description

@grantfox-oss

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

backend/src/app.ts:35-46 hand-sets a helmet-equivalent header set but omits Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy. Swagger UI is mounted at /api-docs and returns HTML, so the absence of a CSP leaves that page without script/style restrictions.

Acceptance criteria

  • Add Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy (or replace the hand-rolled block with helmet)
  • Ensure the Swagger UI page still loads under the chosen CSP
  • Keep HSTS gated on production as today

Files to touch

  • backend/src/app.ts

Out of scope

  • Rate limiting / CORS changes

Metadata

Metadata

Assignees

Labels

Stellar WaveIssues in the Stellar wave programbackendBackend related tasksenhancementNew feature or requestsecuritySecurity related tasks

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions