trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/specs/security-headers/spec.md
Marko Djordjevic 925e7284e3 Archive code-review-fix change and sync specs to main 
- Synced 14 capability delta specs to main specs
- Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types
- Updated 8 existing specs with security, validation, and performance requirements
- Archived change to openspec/changes/archive/2026-02-20-code-review-fix/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 08:54:59 +01:00

1.1 KiB
Raw Blame History

ADDED Requirements

Requirement: Security response headers

The Next.js application SHALL add security response headers to all routes via the headers() function in next.config.js. The following headers SHALL be set:

  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:

Scenario: Headers present on HTML response

  • WHEN a browser requests any page
  • THEN the response includes all five security headers

Scenario: Headers present on API response

  • WHEN a client requests any /api/* endpoint
  • THEN the response includes all five security headers

Scenario: Clickjacking prevented

  • WHEN a third-party site attempts to embed the application in an iframe
  • THEN the browser blocks the embedding due to X-Frame-Options: DENY