Skip to content

Harden security headers and cleanup#25

Merged
dadachi merged 1 commit intomainfrom
harden_security_headers_and_cleanup
Mar 14, 2026
Merged

Harden security headers and cleanup#25
dadachi merged 1 commit intomainfrom
harden_security_headers_and_cleanup

Conversation

@dadachi
Copy link
Copy Markdown
Contributor

@dadachi dadachi commented Mar 14, 2026

Summary

  • Remove unused rack-cors gem (not needed for native mobile app API)
  • Enable Content-Security-Policy with restrictive defaults, allowing Google Fonts
  • Enable Permissions-Policy to disable unnecessary browser features (camera, mic, geolocation, etc.)
  • Enable DNS rebinding protection in production using RENDER_EXTERNAL_HOSTNAME and APP_HOST env vars
  • Replace font preload/onload hack with standard <link rel="stylesheet"> in all layouts
  • Reduce Devise token lifespan from 90 to 30 days
  • Reduce max concurrent devices from 100 to 10

Test plan

  • bin/rubocop — no offenses
  • bin/brakeman — no security warnings
  • bin/rails test — 376 tests, 709 assertions, 0 failures
  • Verify font loading works correctly on web pages (password reset, error pages)
  • Verify API authentication still works with reduced token lifespan/device limits
  • Verify Render deployment succeeds with RENDER_EXTERNAL_HOSTNAME and APP_HOST set

🤖 Generated with Claude Code

@dadachi @claude
Harden security headers and cleanup
5ac0549 
- Remove unused rack-cors gem
- Enable Content-Security-Policy with restrictive defaults and Google Fonts allowlist
- Enable Permissions-Policy to disable unnecessary browser features
- Enable DNS rebinding protection in production using Render env vars
- Replace font preload/onload hack with standard stylesheet link
- Reduce token lifespan from 90 to 30 days
- Reduce max concurrent devices from 100 to 10

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dadachi dadachi merged commit 2823d2f into main Mar 14, 2026
3 checks passed
@dadachi dadachi deleted the harden_security_headers_and_cleanup branch March 18, 2026 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dadachi