From 2aec7f06fd7b10ee1089d964a00b8ed99905f167 Mon Sep 17 00:00:00 2001 From: Temrjan Date: Thu, 18 Jun 2026 10:43:25 +0500 Subject: [PATCH] fix(deploy): add security headers and body cap to Caddyfile-v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Port CSP, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and the -Server header stripping from the legacy Caddyfile. Add request_body max_size 1MB to the api.rustokwallet.com block to limit large-POST abuse. I3 (redis persistence) is out of scope — Redis was removed from deploy-v2 in chore/deploy-v2-drop-redis. --- deploy-v2/Caddyfile-v2 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/deploy-v2/Caddyfile-v2 b/deploy-v2/Caddyfile-v2 index 5496d12..c6cd4ff 100644 --- a/deploy-v2/Caddyfile-v2 +++ b/deploy-v2/Caddyfile-v2 @@ -12,6 +12,17 @@ api.rustokwallet.com { Strict-Transport-Security "max-age=31536000; includeSubDomains" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" + Content-Security-Policy "default-src 'none'; frame-ancestors 'none'" + Referrer-Policy "strict-origin-when-cross-origin" + Permissions-Policy "camera=(), microphone=(), geolocation=()" + X-XSS-Protection "0" + -Server + } + + # Cap request bodies — MCP JSON-RPC messages are small; blocks large-POST + # abuse (review #7). Raise if a future tool needs bigger payloads. + request_body { + max_size 1MB } reverse_proxy rustok-gateway:3000