Problem
The Express server in src/server/start.ts sets no HTTP security headers beyond cookies. Missing headers:
X-Content-Type-Options: nosniff — prevents MIME-type sniffingX-Frame-Options: DENY — prevents clickjacking via iframe embeddingStrict-Transport-Security — enforces HTTPS in productionReferrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
This is separate from Content-Security-Policy (#119).
Fix
Either add helmet as a dependency or manually set headers via middleware:
app.use((_req, res, next) => {
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("X-Frame-Options", "DENY");
res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
if (process.env.NODE_ENV === "production") {
res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
}
next();
});Scope
Small middleware addition in src/server/start.ts.
Problem
The Express server in
src/server/start.tssets no HTTP security headers beyond cookies. Missing headers:X-Content-Type-Options: nosniff— prevents MIME-type sniffingX-Frame-Options: DENY— prevents clickjacking via iframe embeddingStrict-Transport-Security— enforces HTTPS in productionReferrer-Policy: strict-origin-when-cross-origin— limits referrer leakageThis is separate from Content-Security-Policy (#119).
Fix
Either add
helmetas a dependency or manually set headers via middleware:Scope
Small middleware addition in
src/server/start.ts.