Skip to content

feat: Security headers decorator#89

Merged
thced merged 2 commits into
masterfrom
feat/security-headers-decorator
May 21, 2026
Merged

feat: Security headers decorator#89
thced merged 2 commits into
masterfrom
feat/security-headers-decorator

Conversation

@thced

@thced thced commented May 21, 2026

Copy link
Copy Markdown
Contributor

No description provided.

thced added 2 commits May 21, 2026 08:48
Provide an opt-in ResponseDecorator that sets two browser-hardening
headers on every response routed through the OpenAPI dispatch chain:

- X-Content-Type-Options: nosniff
- Cross-Origin-Resource-Policy: same-origin

Both are skipped when the handler has already set the header, so
per-response overrides keep working. Wire in with
OpenApiServer.builder().responseDecorator(Handlers.securityHeadersDecorator()).

ServerLauncher now applies the decorator so the local demo and the
ZAP scan exercise it.

Note: ResponseDecorator runs in the dispatch chain, not in
ExceptionFilter, so 500 responses produced by the default exception
path remain unaffected. That's an intentional scope limit for this
change.
@thced thced merged commit 4588408 into master May 21, 2026
4 checks passed
@thced thced deleted the feat/security-headers-decorator branch May 21, 2026 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant