diff --git a/docs/security-headers.md b/docs/security-headers.md new file mode 100644 index 0000000..f99e8d5 --- /dev/null +++ b/docs/security-headers.md @@ -0,0 +1,14 @@ +# Security headers + +Baseline hardening headers are applied on every response (see +`src/__tests__/securityHeaders.test.ts`): + +| Header | Value | +|--------|-------| +| `X-Content-Type-Options` | `nosniff` | +| `X-Frame-Options` | `DENY` | +| `Referrer-Policy` | `no-referrer` | +| `Strict-Transport-Security` | `max-age=…` | + +Content-Security-Policy tightening is tracked separately; do not duplicate header +logic outside the centralized middleware.