mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-06-16 01:35:36 -04:00
Giuseppe
95c2dca4b5
* fix(security): add HSTS and Permissions-Policy headers to SecurityHeadersMiddleware Strict-Transport-Security is sent only when the connection is HTTPS (detected via request.url.scheme or X-Forwarded-Proto: https), so plain-HTTP dev deployments behind a reverse proxy are unaffected. Permissions-Policy disables camera, microphone, and geolocation APIs unconditionally — Odysseus does not use them, and this prevents a successful XSS from requesting browser-native sensor access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): scope Permissions-Policy microphone directive to same-origin Reviewers on PR #3081 (alteixeira20, NubsCarson) flagged that microphone=() blocks mic access for same-origin (self) too, breaking Odysseus's own voice/STT flow (getUserMedia({audio: true}) in static/js/voiceRecorder.js). Scope it to microphone=(self) so third-party origins stay locked out while the app's own UI keeps mic access; camera and geolocation remain fully disabled as unused. Adds focused middleware tests covering HSTS scoping (HTTPS direct, X-Forwarded-Proto, absent on plain HTTP) and the Permissions-Policy same-origin microphone contract. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>