#19519: security: add HSTS, Cache-Control, and security response headers
gateway
size: S
## Summary
- Add security headers middleware (`security-headers.ts`) applied to all HTTP responses
- `Strict-Transport-Security` (HSTS, 1 year + includeSubDomains) when TLS is enabled
- `Cache-Control: no-store` on `/api/`, `/hooks/`, and `/v1/` endpoints
- `X-Content-Type-Options: nosniff` on all responses
- `X-Frame-Options: DENY` as backup for CSP `frame-ancestors`
- `Referrer-Policy: strict-origin-when-cross-origin`
## Security Impact
Hardens HTTP response headers against clickjacking, MIME sniffing, referrer leakage, and ensures API/auth data is not cached by browsers or proxies.
## Test plan
- [x] Unit tests for all headers
- [x] Verify HSTS only applied when TLS is enabled
- [x] Test Cache-Control on API/hooks/v1 paths
- [x] Verify static paths don't get no-store
Most Similar PRs
#6906: Add baseline HTTP security headers to gateway responses
by QuantumEdu · 2026-02-02
68.2%
#23465: Gateway: strengthen Control UI security headers
by bmendonca3 · 2026-02-22
66.1%
#11710: fix: security hardening — exec blocking, auth validation, timing-sa...
by zendizmo · 2026-02-08
64.2%
#19539: security: strengthen CSRF protection with SameSite cookies
by Mozzzaic · 2026-02-17
62.9%
#21667: fix(canvas): add CSP and security headers to HTML responses
by AI-Reviewer-QS · 2026-02-20
61.8%
#16990: fix(media): strip auth headers on cross-origin redirect in download...
by AI-Reviewer-QS · 2026-02-15
60.4%
#5649: fix(security): harden file permissions and header merging
by sfo2001 · 2026-01-31
59.8%
#21159: fix(security): harden data exposure controls
by novalis133 · 2026-02-19
59.1%
#13308: Security: address audit findings (gateway, CI, Docker)
by rachelnguyen · 2026-02-10
59.0%
#14197: fix(security): harden browser API auth, token comparisons, and hook...
by leecarollyn-gif · 2026-02-11
58.8%