trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/changes/code-review-fix/specs/security-headers/spec.md
Marko Djordjevic c327ba3370 bind: MLflow port to 127.0.0.1:5000:5000 in docker-compose.yml 
Changes:
- Updated docker-compose.yml MLflow service port binding from 5000:5000 to 127.0.0.1:5000:5000
  to restrict access to localhost only for security
- Marked task 1.7 as complete in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 10:58:11 +01:00

1.1 KiB
Raw Blame History

ADDED Requirements

Requirement: Security response headers

The Next.js application SHALL add security response headers to all routes via the headers() function in next.config.js. The following headers SHALL be set:

  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:

Scenario: Headers present on HTML response

  • WHEN a browser requests any page
  • THEN the response includes all five security headers

Scenario: Headers present on API response

  • WHEN a client requests any /api/* endpoint
  • THEN the response includes all five security headers

Scenario: Clickjacking prevented

  • WHEN a third-party site attempts to embed the application in an iframe
  • THEN the browser blocks the embedding due to X-Frame-Options: DENY