initial commit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/middleware/security.ts

@@ -0,0 +1,15 @@
+import { FastifyReply, FastifyRequest } from 'fastify';
+import { config } from '../config/env';
+
+export async function securityHeaders(
+  _request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  reply.header('X-Content-Type-Options', 'nosniff');
+  reply.header('X-Frame-Options', 'DENY');
+  reply.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+  if (config.isProduction) {
+    reply.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+  }
+}