bind: MLflow port to 127.0.0.1:5000:5000 in docker-compose.yml

Changes: - Updated docker-compose.yml MLflow service port binding from 5000:5000 to 127.0.0.1:5000:5000 to restrict access to localhost only for security - Marked task 1.7 as complete in tasks.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 10:58:11 +01:00 · 2026-02-18 10:58:11 +01:00 · c327ba3370
commit c327ba3370
parent 9efa1dbbcc
19 changed files with 1002 additions and 2 deletions
--- a/openspec/changes/code-review-fix/specs/security-headers/spec.md
+++ b/openspec/changes/code-review-fix/specs/security-headers/spec.md
@ -0,0 +1,21 @@
+## ADDED Requirements
+
+### Requirement: Security response headers
+The Next.js application SHALL add security response headers to all routes via the `headers()` function in `next.config.js`. The following headers SHALL be set:
+- `X-Frame-Options: DENY`
+- `X-Content-Type-Options: nosniff`
+- `Referrer-Policy: strict-origin-when-cross-origin`
+- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
+- `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:`
+
+#### Scenario: Headers present on HTML response
+- **WHEN** a browser requests any page
+- **THEN** the response includes all five security headers
+
+#### Scenario: Headers present on API response
+- **WHEN** a client requests any `/api/*` endpoint
+- **THEN** the response includes all five security headers
+
+#### Scenario: Clickjacking prevented
+- **WHEN** a third-party site attempts to embed the application in an iframe
+- **THEN** the browser blocks the embedding due to `X-Frame-Options: DENY`