Archive code-review-fix change and sync specs to main
- Synced 14 capability delta specs to main specs - Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types - Updated 8 existing specs with security, validation, and performance requirements - Archived change to openspec/changes/archive/2026-02-20-code-review-fix/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marko Djordjevic
parent
adb93a2d2e
commit
925e7284e3
32 changed files with 691 additions and 4 deletions
|
|
@ -1,21 +0,0 @@
|
|||
## ADDED Requirements
|
||||
|
||||
### Requirement: Security response headers
|
||||
The Next.js application SHALL add security response headers to all routes via the `headers()` function in `next.config.js`. The following headers SHALL be set:
|
||||
- `X-Frame-Options: DENY`
|
||||
- `X-Content-Type-Options: nosniff`
|
||||
- `Referrer-Policy: strict-origin-when-cross-origin`
|
||||
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
|
||||
- `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:`
|
||||
|
||||
#### Scenario: Headers present on HTML response
|
||||
- **WHEN** a browser requests any page
|
||||
- **THEN** the response includes all five security headers
|
||||
|
||||
#### Scenario: Headers present on API response
|
||||
- **WHEN** a client requests any `/api/*` endpoint
|
||||
- **THEN** the response includes all five security headers
|
||||
|
||||
#### Scenario: Clickjacking prevented
|
||||
- **WHEN** a third-party site attempts to embed the application in an iframe
|
||||
- **THEN** the browser blocks the embedding due to `X-Frame-Options: DENY`
|
||||
Loading…
Add table
Add a link
Reference in a new issue