Skip to content

Add security response headers to prevent Safe Browsing flag#102

Merged
stylessh merged 1 commit intomainfrom
stylessh/fix-safe-browsing
Apr 13, 2026
Merged

Add security response headers to prevent Safe Browsing flag#102
stylessh merged 1 commit intomainfrom
stylessh/fix-safe-browsing

Conversation

@stylessh
Copy link
Copy Markdown
Owner

@stylessh stylessh commented Apr 13, 2026

Summary

  • Adds standard security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to all responses from the worker entry point
  • Mitigates Google Safe Browsing falsely flagging the site as phishing due to the OAuth login flow on a newer domain
  • Intentionally omits Content-Security-Policy to avoid blocking API calls to GitHub and Cloudflare

Test plan

  • Deploy to preview and verify security headers are present on responses (check via browser DevTools Network tab)
  • Confirm GitHub OAuth login flow still works end-to-end
  • Confirm API calls to GitHub and WebSocket connections are unaffected

@stylessh
Add security response headers to mitigate Safe Browsing phishing flag
747a28e 
Google Safe Browsing flagged the production site as phishing due to
the OAuth login flow on a newer domain. Add HSTS, X-Content-Type-Options,
X-Frame-Options, Referrer-Policy, and Permissions-Policy headers to all
responses from the worker entry point.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 13, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 diffkit 747a28e Apr 13 2026, 10:06 PM

@stylessh stylessh merged commit b489f9a into main Apr 13, 2026
4 checks passed
stylessh added a commit that referenced this pull request Apr 18, 2026
@stylessh
Add security response headers to mitigate Safe Browsing phishing flag (
0de2fdf 
…#102)

Google Safe Browsing flagged the production site as phishing due to
the OAuth login flow on a newer domain. Add HSTS, X-Content-Type-Options,
X-Frame-Options, Referrer-Policy, and Permissions-Policy headers to all
responses from the worker entry point.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stylessh