fix: make security headers configurable and add tests

2026-02-24 17:36:44 +01:00
parent 93161d3800
commit 3fd5fe5f8c
5 changed files with 219 additions and 12 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -7,6 +7,11 @@ REQUEST_LOG_INCLUDE_HEALTH=false
 DATABASE_URL=postgresql+psycopg://postgres:postgres@localhost:5432/mission_control
 CORS_ORIGINS=http://localhost:3000
 BASE_URL=
+# Security response headers (blank values disable each header).
+SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS=
+SECURITY_HEADER_X_FRAME_OPTIONS=
+SECURITY_HEADER_REFERRER_POLICY=
+SECURITY_HEADER_PERMISSIONS_POLICY=

 # Auth mode: clerk or local.
 AUTH_MODE=local