From 8c3e0f9554581917475b52f609030044ed90539d Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.ai>
Date: Tue, 14 Apr 2026 16:10:04 +0000
Subject: [PATCH] feat(GRO-631): add security headers to nginx.conf

Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, X-XSS-Protection,
and Permissions-Policy headers to server block and static assets location.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/nginx.conf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/apps/web/nginx.conf b/apps/web/nginx.conf
index 89955f0..a70f242 100644
--- a/apps/web/nginx.conf
+++ b/apps/web/nginx.conf
@@ -3,10 +3,22 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
     # Cache static assets
     location ~* \.(js|css|png|svg|ico|woff2)$ {
         expires 1y;
         add_header Cache-Control "public, immutable";
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
     }
 
     # Proxy API calls to the API service