Skip to content

chore(security): harden file endpoints (CSP+XFO) #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thewilloftheshadow merged 1 commit into from
Jan 29, 2026
Merged

chore(security): harden file endpoints (CSP+XFO) #67

thewilloftheshadow merged 1 commit into from
Jan 29, 2026

Conversation

@vignesh07
Copy link
Contributor

@vignesh07 vignesh07 commented Jan 29, 2026
edited
Loading

Follow-ups after #61 (merged):

  • Tighten CSP for skills/souls file-serving endpoints: add frame-ancestors 'none', base-uri 'none', form-action 'none' (keeps default-src 'none').
  • Add X-Frame-Options: DENY as an extra defense-in-depth layer.
  • Make SVG detection more robust by also checking file extension (.svg) in addition to content-type.

@vercel
Copy link
Contributor

vercel bot commented Jan 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
clawdhub Ready Ready Preview, Comment Jan 29, 2026 4:29am

@thewilloftheshadow
Copy link
Member

thewilloftheshadow commented Jan 29, 2026

You beat me to the extension one lol

@thewilloftheshadow thewilloftheshadow merged commit 5ef00e8 into main Jan 29, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vignesh07 @thewilloftheshadow