# Hosting Security Headers

Vuln Signal includes a root `_headers` file for static hosting platforms that support it, including Cloudflare Pages.

## Current Headers

The default route applies:

- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: DENY`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy` denying camera, microphone, geolocation, payment, USB, and serial access
- `Cross-Origin-Opener-Policy: same-origin`
- `X-Permitted-Cross-Domain-Policies: none`

Static assets get short cache windows so public updates are not sticky during active development.

## CSP Note

No Content Security Policy is enabled yet. The site currently uses JavaScript modules and runtime-generated structured metadata. Add CSP only after testing the public deployment, link previews, JSON-LD, copy buttons, API calls, and all tool pages.

Suggested starting point for a later CSP test:

```text
default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'
```

## Release Check

After deployment:

- Open browser devtools Network tab.
- Confirm `_headers` values are present on `/`.
- Confirm `/js/main.js`, `/css/styles.css`, `/robots.txt`, `/llms.txt`, and `/.well-known/security.txt` return expected cache headers.
- Confirm copy buttons and local workspace exports still work.