Skip to content

security: add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers#533

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/baseline-headers
Open

security: add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers#533
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/baseline-headers

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

No security response headers were set on any route. This adds a small middleware in app.js that applies three baseline headers to every response.

Problem

Without X-Content-Type-Options, browsers may MIME-sniff response bodies and execute content as a different type than declared. Without X-Frame-Options, any external site can embed qbreader pages in an iframe (clickjacking). Without Referrer-Policy, the full URL — including any query parameters — leaks to third-party origins via the Referer header.

Changes

  • Adds an inline middleware before routing that sets:
    • X-Content-Type-Options: nosniff
    • X-Frame-Options: SAMEORIGIN
    • Referrer-Policy: strict-origin-when-cross-origin

Risk & testing

Configuration-only, no logic changes. CSP is intentionally omitted to avoid breaking existing inline scripts and styles; HSTS is omitted since HTTPS is already enforced by the existing httpsEnforcement middleware. No new dependencies. semistandard and node --check pass.

@xpoes123 xpoes123 changed the title security: add baseline security response headers security: add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant