No security headers were set. Add SecurityHeadersMiddleware applying Content-Security-Policy (configurable), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy, and Strict-Transport-Security on HTTPS deployments. Verified HTMX/WebAuthn/forms still work under the CSP. Refs: porchlight-1ph Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| porchlight | ||