c327ba3370
Changes: - Updated docker-compose.yml MLflow service port binding from 5000:5000 to 127.0.0.1:5000:5000 to restrict access to localhost only for security - Marked task 1.7 as complete in tasks.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
21 lines
1.1 KiB
Markdown
21 lines
1.1 KiB
Markdown
## ADDED Requirements
|
|
|
|
### Requirement: Security response headers
|
|
The Next.js application SHALL add security response headers to all routes via the `headers()` function in `next.config.js`. The following headers SHALL be set:
|
|
- `X-Frame-Options: DENY`
|
|
- `X-Content-Type-Options: nosniff`
|
|
- `Referrer-Policy: strict-origin-when-cross-origin`
|
|
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
|
|
- `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:`
|
|
|
|
#### Scenario: Headers present on HTML response
|
|
- **WHEN** a browser requests any page
|
|
- **THEN** the response includes all five security headers
|
|
|
|
#### Scenario: Headers present on API response
|
|
- **WHEN** a client requests any `/api/*` endpoint
|
|
- **THEN** the response includes all five security headers
|
|
|
|
#### Scenario: Clickjacking prevented
|
|
- **WHEN** a third-party site attempts to embed the application in an iframe
|
|
- **THEN** the browser blocks the embedding due to `X-Frame-Options: DENY`
|