From 9ef6cc6f986648b61cce817eb074635187f6270c Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 29 Dec 2025 11:09:10 +0000
Subject: [PATCH] feat(security): add standard security headers to HTTP
 transport

- Add X-Frame-Options: DENY
- Add X-Content-Type-Options: nosniff
- Add Content-Security-Policy: default-src 'self'
- Add Strict-Transport-Security (HSTS) with localhost exclusion
- Verify via reproduction test case

This enhances the default security posture of the MCP server against clickjacking, MIME sniffing, and insecure connections.
---
 src/http-transport.ts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/http-transport.ts b/src/http-transport.ts
index f3b67f9..0284a12 100644
--- a/src/http-transport.ts
+++ b/src/http-transport.ts
@@ -106,6 +106,25 @@ export class HttpTransport {
       next();
     });
 
+    // Security: Standard security headers
+    this.app.use((req: Request, res: Response, next: NextFunction) => {
+      // Prevent clickjacking
+      res.setHeader('X-Frame-Options', 'DENY');
+      // Prevent MIME type sniffing
+      res.setHeader('X-Content-Type-Options', 'nosniff');
+      // Content Security Policy
+      res.setHeader('Content-Security-Policy', "default-src 'self'");
+
+      // Strict Transport Security (HSTS)
+      // Skip for localhost development to avoid browser issues
+      const isLocalhost = req.hostname === 'localhost' || req.hostname === '127.0.0.1';
+      if (!isLocalhost) {
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+      }
+
+      next();
+    });
+
     // DNS rebinding protection when binding to localhost
     // Deny requests with mismatched Host headers to prevent DNS rebinding attacks
     // Applies when server host is localhost/127.0.0.1, regardless of auth configuration