From ad138059dbe9e5dec2324c22278c3f3f5f11ecb4 Mon Sep 17 00:00:00 2001
From: Oliver Bryan <04oliverbryan@gmail.com>
Date: Fri, 9 Jan 2026 04:53:05 +0000
Subject: [PATCH] security headers

---
 packages/backend/src/auth/middleware.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/packages/backend/src/auth/middleware.ts b/packages/backend/src/auth/middleware.ts
index 352c7d2..9e8e624 100644
--- a/packages/backend/src/auth/middleware.ts
+++ b/packages/backend/src/auth/middleware.ts
@@ -89,6 +89,11 @@ const buildCorsHeaders = (req: Request) => {
 export const withCors = <T extends BunRequest>(handler: RouteHandler<T>): RouteHandler<T> => {
     return async (req: T) => {
         const corsHeaders = buildCorsHeaders(req);
+        const securityHeaders = new Headers();
+        securityHeaders.set("X-Content-Type-Options", "nosniff");
+        securityHeaders.set("X-Frame-Options", "DENY");
+        securityHeaders.set("X-XSS-Protection", "1; mode=block");
+        securityHeaders.set("Referrer-Policy", "strict-origin-when-cross-origin");
 
         if (req.method === "OPTIONS") {
             return new Response(null, { status: 204, headers: corsHeaders });
@@ -101,6 +106,10 @@ export const withCors = <T extends BunRequest>(handler: RouteHandler<T>): RouteH
             wrapped.headers.set(key, value);
         });
 
+        securityHeaders.forEach((value, key) => {
+            wrapped.headers.set(key, value);
+        });
+
         return wrapped;
     };
 };