davidruzicka · google-labs-jules · Dec 31, 2025
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,8 @@
+# Sentinel Journal
+
+This journal records critical security learnings and vulnerability patterns specific to this codebase.
+
+## 2025-12-31 - Missing Security Headers in HTTP Transport
+**Vulnerability:** The HTTP transport layer (`src/http-transport.ts`) was missing standard security headers (`X-Content-Type-Options`, `X-Frame-Options`, `Content-Security-Policy`, `Strict-Transport-Security`).
+**Learning:** Even when security middleware is mentioned in memory/documentation, it might not be implemented in the code if it was assumed to be provided by an external proxy or if the implementation was incomplete.
+**Prevention:** Added standard security headers in the `setupMiddleware` function of `HttpTransport` class. Added `src/http-transport-headers.test.ts` to verify the presence of these headers.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/http-transport-headers.test.ts b/src/http-transport-headers.test.ts
@@ -0,0 +1,82 @@
+
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import request from 'supertest';
+import type { Express } from 'express';
+import { HttpTransport } from './http-transport.js';
+import { ConsoleLogger } from './logger.js';
+import { describeIfListen } from './testing/listen-support.js';
+
+describeIfListen('HttpTransport Security Headers', () => {
+  let transport: HttpTransport;
+  let app: Express;
+  const logger = new ConsoleLogger();
+
+  beforeEach(async () => {
+    const config = {
+      host: '127.0.0.1',
+      port: 0,
+      sessionTimeoutMs: 1800000,
+      heartbeatEnabled: false,
+      heartbeatIntervalMs: 30000,
+      metricsEnabled: false,
+      metricsPath: '/metrics',
+    };
+
+    transport = new HttpTransport(config, logger);
+    app = (transport as any).app;
+    transport.setMessageHandler(async () => ({ result: 'ok' }));
+  });
+
+  afterEach(async () => {
+    await transport.stop();
+  });
+
+  it('should set X-Content-Type-Options header', async () => {
+    const response = await request(app).get('/health');
+    expect(response.headers['x-content-type-options']).toBe('nosniff');
+  });
+
+  it('should set X-Frame-Options header', async () => {
+    const response = await request(app).get('/health');
+    expect(response.headers['x-frame-options']).toBe('DENY');
+  });
+
+  it('should set Content-Security-Policy header', async () => {
+    const response = await request(app).get('/health');
+    expect(response.headers['content-security-policy']).toBe("default-src 'self'");
+  });
+
+  it('should set HSTS header on non-localhost requests', async () => {
+      // Mocking a non-localhost request via Host header and potentially modifying transport config if needed
+      // However, supertest requests are local. We might need to mock req.hostname or check logic.
+      // Let's create a new transport with a non-localhost host config to simulate production-like env
+       const prodTransport = new HttpTransport({
+        host: '0.0.0.0', // Bind to all interfaces, simulates prod
+        port: 0,
+        sessionTimeoutMs: 1800000,
+        heartbeatEnabled: false,
+        heartbeatIntervalMs: 30000,
+        metricsEnabled: false,
+        metricsPath: '/metrics',
+      }, logger);
+      const prodApp = (prodTransport as any).app;
+
+      // We need to trick the middleware into thinking it's not localhost.
+      // Express req.hostname depends on Host header.
+      const response = await request(prodApp)
+        .get('/health')
+        .set('Host', 'example.com');
+
+      expect(response.headers['strict-transport-security']).toBe('max-age=31536000; includeSubDomains');
+
+      await prodTransport.stop();
+  });
+
+  it('should NOT set HSTS header on localhost requests', async () => {
+      const response = await request(app)
+        .get('/health')
+        .set('Host', 'localhost');
+
+      expect(response.headers['strict-transport-security']).toBeUndefined();
+  });
+});
diff --git a/src/http-transport.ts b/src/http-transport.ts
@@ -127,6 +127,21 @@ export class HttpTransport {
       next();
     });
 
+    // Security: Standard security headers
+    this.app.use((req: Request, res: Response, next: NextFunction) => {
+      res.setHeader('X-Content-Type-Options', 'nosniff');
+      res.setHeader('X-Frame-Options', 'DENY');
+      res.setHeader('Content-Security-Policy', "default-src 'self'");
+
+      // Strict-Transport-Security (HSTS)
+      // Only set for non-localhost to facilitate local development
+      if (req.hostname !== 'localhost' && req.hostname !== '127.0.0.1') {
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+      }
+
+      next();
+    });
+
     // JSON body parser
     this.app.use(express.json());