Done Work Item
Security hardening P0 — OWASP headers, CSRF protection, Content Security Policy, HSTS
Implement foundational security headers and CSRF protection for the operator-cockpit web app. In next.config.mjs, add HTTP security headers: Content-Security-Policy (restrict script-src, style-src, img-src to self + approved CDNs), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (block camera, mic, geolocation). Implement CSRF token generation and validation for all state-mutating API routes (POST/PUT/PATCH/DELETE). Validate that CSRF tokens are included in all form submissions and action handlers. The Caddy HSTS header (BF-218) is the transport layer; this WI covers the application layer. Write automated checks that verify header presence in test responses.
Execution Context
- ID
- wi-BF-222
- Branch
- bf/BF-222-security-hardening-owasp-headers
- Validation
- ./scripts/validate-local.ps1
- PR
- https://github.com/SingletonTheory/build-factory-bootstrap/pull/280
Lifecycle Metadata
- Lane
- Done
- Work type
- feature
- Source
- done
- Status
- done
- State
- done
- Done criteria
- 8
Queue Truth
Freshness: Fresh (snapshot age 0s)
Drift: none.
Reconciliation Guidance
- No reconciliation required; item truth signals are consistent.
Prompt Context
./work-items/prompts/wi-BF-222.prompt.md
Implement foundational security headers and CSRF protection for the operator-cockpit web app. In next.config.mjs, add HTTP security headers: Content-Security-Policy (restrict script-src, style-src, img-src to self + approved CDNs), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (block camera, mic, geolocation). Implement CSRF token generation and validation for all state-mutating API routes (POST/PUT/PATCH/DELETE). Validate that CSRF tokens are included in all form submissions and action handlers. The Caddy HSTS header (BF-218) is the transport layer; this WI covers the application layer. Write automated checks that verify header presence in test responses.
Available Actions
- Start executionBlocked
Queue execution handoff for this work item.
Recovery guidance
- Cause
- Done items stay closed; Start execution cannot move them backward.
- Policy context
- Lane transition policy blocks Start execution when the item is already Done.
- Next step
- Create a net-new work item if more delivery is needed instead of reopening this one.
- Safe retry
- Do not retry Start execution on a done item.
identity: start-execution
permission: factory.work-item.execute
policy gate lane-transition: blocked (Done items stay closed; Start execution cannot move them backward.)
POST /api/control-plane/items/wi-BF-222/actions/start-execution
- Request reviewBlocked
Mark this item ready for review lane handoff.
Recovery guidance
- Cause
- Done items stay closed; Request review cannot move them backward.
- Policy context
- Lane transition policy blocks Request review when the item is already Done.
- Next step
- Create a net-new work item if more delivery is needed instead of reopening this one.
- Safe retry
- Do not retry Request review on a done item.
identity: request-review
permission: factory.work-item.request-review
policy gate lane-transition: blocked (Done items stay closed; Request review cannot move them backward.)
POST /api/control-plane/items/wi-BF-222/actions/request-review
- Prepare releaseEnabled
Run release-preparation checks for the work item.
identity: prepare-release
permission: factory.work-item.prepare-release
policy gate lane-eligibility: pass
policy gate pull-request: pass
POST /api/control-plane/items/wi-BF-222/actions/prepare-release
- Record historyEnabled
Capture history snapshots for audit and validation views.
identity: record-history
permission: factory.work-item.record-history
policy gate context-visibility: pass
POST /api/control-plane/items/wi-BF-222/actions/record-history