From 0395a780080d3378407d41e52893527b2b2c710b Mon Sep 17 00:00:00 2001
From: Davide Grilli <davide.grilli@outlook.com>
Date: Tue, 19 May 2026 10:10:05 +0200
Subject: [PATCH] fix(security): add HTTP security headers (CSP, HSTS,
 X-Frame-Options)

- middleware.ts: set X-Frame-Options, X-Content-Type-Options,
  Referrer-Policy, Permissions-Policy, Content-Security-Policy on all responses
- Caddyfile: add Strict-Transport-Security (HSTS 1y), X-Frame-Options,
  X-Content-Type-Options at reverse proxy level
---
 Caddyfile             | 5 +++++
 app/src/middleware.ts | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/Caddyfile b/Caddyfile
index 1921f60..098b46b 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,4 +1,9 @@
 localhost {
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Frame-Options "DENY"
+        X-Content-Type-Options "nosniff"
+    }
     handle /uploads/* {
         root * /srv
         file_server
diff --git a/app/src/middleware.ts b/app/src/middleware.ts
index da96832..e074ee2 100644
--- a/app/src/middleware.ts
+++ b/app/src/middleware.ts
@@ -4,6 +4,14 @@ import type { NextRequest } from 'next/server'
 export function middleware(request: NextRequest) {
   const response = NextResponse.next()
   response.headers.set('x-pathname', request.nextUrl.pathname)
+  response.headers.set('X-Frame-Options', 'DENY')
+  response.headers.set('X-Content-Type-Options', 'nosniff')
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
+  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
+  response.headers.set(
+    'Content-Security-Policy',
+    "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://api.stripe.com; frame-src https://js.stripe.com; frame-ancestors 'none'"
+  )
   return response
 }