From 8e145a2129915f99744b8f19115fb809393254ea Mon Sep 17 00:00:00 2001
From: Hugh Brown <hughdbrown@yahoo.com>
Date: Tue, 3 Mar 2026 13:40:03 -0700
Subject: [PATCH] security: set sensible defaults for security response headers

X-Content-Type-Options, X-Frame-Options, and Referrer-Policy all
defaulted to empty (disabled). Set defaults to nosniff, DENY, and
strict-origin-when-cross-origin respectively. Operators can still
override or disable via environment variables.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/app/core/config.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/backend/app/core/config.py b/backend/app/core/config.py
index 46d20683..1534d556 100644
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -49,11 +49,12 @@ class Settings(BaseSettings):
     clerk_leeway: float = 10.0
 
     cors_origins: str = ""
-    base_url: str
-    # Security response headers (blank disables header injection)
-    security_header_x_content_type_options: str = ""
-    security_header_x_frame_options: str = ""
-    security_header_referrer_policy: str = ""
+    base_url: str = ""
+
+    # Security response headers (set to blank to disable a specific header)
+    security_header_x_content_type_options: str = "nosniff"
+    security_header_x_frame_options: str = "DENY"
+    security_header_referrer_policy: str = "strict-origin-when-cross-origin"
     security_header_permissions_policy: str = ""
 
     # Database lifecycle