From 8aa1d40ba188cfaa5ed9202cd7a295b732dfab8e Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 08:47:16 +0100
Subject: [PATCH] security: add CSP (prod) and Permissions-Policy headers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/middleware/security.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/middleware/security.ts b/src/middleware/security.ts
index 63bb248..3810492 100644
--- a/src/middleware/security.ts
+++ b/src/middleware/security.ts
@@ -8,8 +8,13 @@ export async function securityHeaders(
   reply.header('X-Content-Type-Options', 'nosniff');
   reply.header('X-Frame-Options', 'DENY');
   reply.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+  reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
 
   if (config.isProduction) {
     reply.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    reply.header(
+      'Content-Security-Policy',
+      "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'",
+    );
   }
 }