forked from molecule-ai/molecule-core
67a9ec8fcb
SecurityHeaders() middleware already sets X-Content-Type-Options: nosniff and X-Frame-Options: DENY globally on every response (issue #151 / PR ~securityheaders). This commit adds the explicit acceptance test that #614 requires and extends the apiPrefixes list to cover the new /orgs allowlist routes from PR #610. Changes: - securityheaders.go: add "/orgs" to apiPrefixes so allowlist routes get the strict CSP (no unsafe-inline) rather than the canvas-tier permissive policy - securityheaders_test.go: TestSecurityHeaders_614_NosniffOnSSEAndAPIEndpoints verifies the header is present on SSE endpoint, /settings/secrets, /events, and /orgs paths; TestIsAPIPath gains /orgs cases Closes #614 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||