26215cf721
SecurityHeaders() middleware already sets X-Content-Type-Options: nosniff and X-Frame-Options: DENY globally on every response (issue #151 / PR ~securityheaders). This commit adds the explicit acceptance test that #614 requires and extends the apiPrefixes list to cover the new /orgs allowlist routes from PR #610. Changes: - securityheaders.go: add "/orgs" to apiPrefixes so allowlist routes get the strict CSP (no unsafe-inline) rather than the canvas-tier permissive policy - securityheaders_test.go: TestSecurityHeaders_614_NosniffOnSSEAndAPIEndpoints verifies the header is present on SSE endpoint, /settings/secrets, /events, and /orgs paths; TestIsAPIPath gains /orgs cases Closes #614 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| ratelimit_test.go | ||
| ratelimit.go | ||
| securityheaders_test.go | ||
| securityheaders.go | ||
| tenant_guard_test.go | ||
| tenant_guard.go | ||
| wsauth_middleware_test.go | ||
| wsauth_middleware.go | ||