soulsync/Support
BoulderBadgeDad 5e5bc12e45 Security: add gated security headers in reverse-proxy mode (Tier 2)
Fold a conservative security-header set into the SAME opt-in proxy mode, so it's
zero-impact when off. When security.trust_reverse_proxy is on, an after_request
adds X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, and HSTS
(safe — only honoured over the proxy's HTTPS), via setdefault so it never clobbers
a header the proxy already set. No CSP (needs per-deploy tuning; better at the
proxy). When OFF (default), the after_request isn't registered → no headers added.

Tests: off adds none of the headers; on adds all three. Doc updated. 6 tests pass.
2026-06-10 20:48:51 -07:00
..
API.md Update API.md 2026-03-04 14:13:22 -08:00
AUTOMATIONS.md update readme and include automation docs 2026-03-05 18:45:00 -08:00
DOCKER-OAUTH-FIX.md Reverse proxy fix 2026-03-03 12:04:53 -08:00
DOCKER-TRANSFER-GUIDE.md organization 2026-01-27 12:23:19 -08:00
DOCKER.md organization 2026-01-27 12:23:19 -08:00
DOCKER_PERMISSIONS.md organization 2026-01-27 12:23:19 -08:00
IMPORT-STAGING-GUIDE.md Create IMPORT-STAGING-GUIDE.md 2026-03-01 16:53:40 -08:00
METADATA-FALLBACK-IMPLEMENTATION.md organization 2026-01-27 12:23:19 -08:00
README-Docker.md Document dev/nightly release channels and contributor workflow 2026-04-21 14:40:24 -07:00
REVERSE-PROXY.md Security: add gated security headers in reverse-proxy mode (Tier 2) 2026-06-10 20:48:51 -07:00
UNRAID.md organization 2026-01-27 12:23:19 -08:00