From 5d041cc4c6128af9ca321ece6155472cf90c6911 Mon Sep 17 00:00:00 2001
From: gnezim <gnezim@gmail.com>
Date: Wed, 15 Apr 2026 00:49:07 +0300
Subject: [PATCH] Implement security headers middleware for HSTS, COOP, CORP,
 and more

---
 src/server/middleware/security-headers.ts | 27 +++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 src/server/middleware/security-headers.ts

diff --git a/src/server/middleware/security-headers.ts b/src/server/middleware/security-headers.ts
new file mode 100644
index 00000000..be9588bc
--- /dev/null
+++ b/src/server/middleware/security-headers.ts
@@ -0,0 +1,27 @@
+/**
+ * Factory returning express-style middleware that sets standard security headers.
+ * Registered by 1I when wiring middleware into Modern.js config.
+ */
+export function securityHeadersMiddleware() {
+  return (
+    _req: unknown,
+    res: { setHeader(name: string, value: string): void },
+    next: () => void,
+  ): void => {
+    res.setHeader(
+      "Strict-Transport-Security",
+      "max-age=63072000; includeSubDomains; preload",
+    );
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "SAMEORIGIN");
+    res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+    res.setHeader(
+      "Permissions-Policy",
+      "geolocation=(), camera=(), microphone=()",
+    );
+    res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+    res.setHeader("Cross-Origin-Resource-Policy", "cross-origin");
+
+    next();
+  };
+}