From b05521add6b18949fe3bcf75db0084fce8a48e7d Mon Sep 17 00:00:00 2001 From: Catherine Renelle <32781029+catrenelle@users.noreply.github.com> Date: Mon, 9 Mar 2026 08:15:27 -0400 Subject: [PATCH] Add Permissions-Policy security header Disables browser APIs not needed by the app: camera, microphone, geolocation, payment, USB, magnetometer, gyroscope, accelerometer. Co-Authored-By: Claude Opus 4.6 --- src/hooks.server.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/hooks.server.ts b/src/hooks.server.ts index 45aaf28..76a5e57 100644 --- a/src/hooks.server.ts +++ b/src/hooks.server.ts @@ -101,6 +101,7 @@ export const handle: Handle = async ({ event, resolve }) => { response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws: wss:; frame-ancestors 'none'"); + response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()'); logger.info({ method: event.request.method,