Enhance security architecture and guidelines across documentation and middleware; implement input validation, logging improvements, and security headers in API handlers.
This commit is contained in:
Leon Bösche
@@ -98,6 +98,17 @@ This document describes the security architecture, configurations, and best prac
|
||||
- `INTERNAL` (500)
|
||||
- **No Secrets in Logs**: Passwords and tokens are never logged
|
||||
|
||||
### Security Headers
|
||||
|
||||
The application sets comprehensive security headers:
|
||||
|
||||
- **X-Content-Type-Options**: `nosniff` - Prevents MIME type sniffing
|
||||
- **X-Frame-Options**: `DENY` - Prevents clickjacking (except for WOPI endpoints)
|
||||
- **X-XSS-Protection**: `1; mode=block` - Enables XSS filtering
|
||||
- **Content-Security-Policy**: Restrictive policy allowing only necessary sources
|
||||
- **Referrer-Policy**: `strict-origin-when-cross-origin` - Controls referrer information
|
||||
- **CORS**: Restricted to allowed origins with credentials support
|
||||
|
||||
## Network Security
|
||||
|
||||
### TLS Configuration
|
||||
|
||||
Reference in New Issue
Block a user