From 747a28e0ad120b38c3e82555e740391bb8cf7e52 Mon Sep 17 00:00:00 2001
From: Alan Daniel <stylesshjs@gmail.com>
Date: Mon, 13 Apr 2026 18:05:15 -0400
Subject: [PATCH] Add security response headers to mitigate Safe Browsing
 phishing flag

Google Safe Browsing flagged the production site as phishing due to
the OAuth login flow on a newer domain. Add HSTS, X-Content-Type-Options,
X-Frame-Options, Referrer-Policy, and Permissions-Policy headers to all
responses from the worker entry point.
---
 apps/dashboard/src/entry-worker.ts | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/apps/dashboard/src/entry-worker.ts b/apps/dashboard/src/entry-worker.ts
index b527bba..02fc397 100644
--- a/apps/dashboard/src/entry-worker.ts
+++ b/apps/dashboard/src/entry-worker.ts
@@ -2,6 +2,14 @@ import startEntry from "@tanstack/react-start/server-entry";
 
 export { SignalRelay } from "./lib/signal-relay.server";
 
+const SECURITY_HEADERS: Record<string, string> = {
+	"Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload",
+	"X-Content-Type-Options": "nosniff",
+	"X-Frame-Options": "DENY",
+	"Referrer-Policy": "strict-origin-when-cross-origin",
+	"Permissions-Policy": "camera=(), microphone=(), geolocation=(), payment=()",
+};
+
 async function handleWebSocketUpgrade(
 	request: Request,
 	env: Record<string, unknown>,
@@ -53,6 +61,16 @@ export default {
 			env: Record<string, unknown>,
 			ctx: ExecutionContext,
 		) => Promise<Response>;
-		return (startEntry.fetch as unknown as WorkerFetch)(request, env, ctx);
+		const response = await (startEntry.fetch as unknown as WorkerFetch)(
+			request,
+			env,
+			ctx,
+		);
+
+		for (const [key, value] of Object.entries(SECURITY_HEADERS)) {
+			response.headers.set(key, value);
+		}
+
+		return response;
 	},
 };