Skip to content

fix(security): add strict security headers to HTML error responses #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
NiklasSkulll merged 1 commit into from
Nov 22, 2025
Merged

fix(security): add strict security headers to HTML error responses #119

NiklasSkulll merged 1 commit into from
Nov 22, 2025

Conversation

@jonasiu
Copy link
Collaborator

@jonasiu jonasiu commented Nov 21, 2025

Summary

Implements strict security headers on HTML error responses (404 and 500) to address issue #100. This provides defense-in-depth protection even though the application currently returns JSON-only responses.

Changes

Code Changes

  • 404 Handler (apps/backend/src/index.ts): Added strict security headers before JSON response
  • Error Handler (apps/backend/src/middlewares/errorHandler.ts): Created setStrictSecurityHeaders() helper and applied to all error responses

Security Headers Enforced

Content-Security-Policy: default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'

  • Blocks ALL resources (stricter than Helmet defaults)

X-Content-Type-Options: nosniff

  • Prevents MIME type sniffing

X-Frame-Options: DENY

  • Prevents clickjacking attacks

Content-Disposition: inline

  • Prevents download misinterpretation

Test Coverage

  • 4 new unit tests for 404 handler security headers
  • 3 new unit tests for error handler security headers
  • New integration test file with 8 comprehensive tests using supertest
  • All 893 backend tests pass

Manual Verification

# Test 404 with XSS payload
curl -I "http://localhost:3001/%3Cscript%3Ealert(1)%3C/script%3E"

# Response includes all security headers:
Content-Security-Policy: default-src 'none'; script-src 'none'; ...
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Disposition: inline
Content-Type: application/json

Testing

Run tests:

pnpm test:backend  # All 893 tests pass
pnpm lint          # No errors (only pre-existing warnings)
pnpm build         # Successful

Impact

  • Risk: LOW - Non-breaking change (adds headers to existing JSON responses)
  • Benefit: HIGH - Defense-in-depth security posture
  • Performance: Negligible (4 header operations per error response)

Closes

Closes #100

🤖 Generated with Claude Code

@jonasyr
fix(security): add strict security headers to HTML error responses
8484e4c 
   Add comprehensive security headers to 404 and error handlers for defense-in-depth:
   - Content-Security-Policy with strict 'none' directives (blocks all resources)
   - X-Content-Type-Options: nosniff (prevents MIME sniffing)
   - X-Frame-Options: DENY (prevents clickjacking)
   - Content-Disposition: inline (prevents download misinterpretation)

   Changes:
   - Enhanced 404 handler in apps/backend/src/index.ts
   - Enhanced error handler in apps/backend/src/middlewares/errorHandler.ts
   - Added comprehensive unit tests for both handlers
   - Created integration tests with real HTTP requests
   - All 893 backend tests pass
   - Manual verification confirms headers are present

   Closes #100
@jonasiu jonasiu linked an issue Nov 21, 2025 that may be closed by this pull request
type(security): Security Headers Missing on HTML Error Responses #100
Closed
@jonasyr jonasyr requested a review from NiklasSkulll November 21, 2025 14:02
@jonasyr jonasyr self-assigned this Nov 21, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 21, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@NiklasSkulll NiklasSkulll merged commit 4a2dc70 into dev Nov 22, 2025
8 checks passed
@NiklasSkulll NiklasSkulll deleted the 100-typesecurity-security-headers-missing-on-html-error-responses branch November 23, 2025 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NiklasSkulll NiklasSkulll NiklasSkulll approved these changes

Assignees

@jonasyr jonasyr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

type(security): Security Headers Missing on HTML Error Responses

4 participants

@jonasiu @NiklasSkulll @jonasyr