From b4ade5b40c4f91901a86ac9af11f1140e14e2355 Mon Sep 17 00:00:00 2001
From: sabdosh <sihhamm.1805@hotmail.com>
Date: Tue, 5 May 2026 21:58:21 +1000
Subject: [PATCH] Implement global security headers and CSP

---
 config/application.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/config/application.rb b/config/application.rb
index 2b54558e56..759899af59 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -18,6 +18,13 @@ module Doubtfire
   class Application < Rails::Application
     config.load_defaults 7.0
 
+    config.action_dispatch.default_headers.merge!({
+    'X-Frame-Options' => 'DENY',
+    'X-Content-Type-Options' => 'nosniff',
+    'Referrer-Policy' => 'no-referrer',
+    'Permissions-Policy' => 'geolocation=(), camera=(), microphone=()',
+    'Content-Security-Policy' => "default-src 'self';"})
+
     # Remove Action Mailbox and Active Storage routes - not used
     initializer(:remove_action_mailbox_and_activestorage_routes, after: :add_routing_paths) do |app|
       app.routes_reloader.paths.delete_if { |path| path =~ /activestorage/ }