security(caddy): add Permissions-Policy header

Adds `Permissions-Policy: camera=(), microphone=(), geolocation=()` to the shared (security_headers) snippet, so both archiv vhosts and the git vhost deny browser APIs the app does not use. Reduces blast radius of an XSS landing in a privileged origin. The deploy smoke steps in nightly.yml and release.yml gain a matching assertion against the canonical header value, so a future Caddyfile edit that drops or loosens the header (e.g. `camera=(self)`) fails the deploy instead of regressing silently. `caddy validate` against caddy:2 passes; both workflow YAMLs parse. Addresses @nora's round-2 suggestion on PR #499 — "lower-impact than CSP but nearly free". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 14:06:13 +02:00
parent 8fcf653cb0
commit 09680557ef
3 changed files with 14 additions and 0 deletions
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -18,6 +18,10 @@
 		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 		X-Content-Type-Options "nosniff"
 		Referrer-Policy "strict-origin-when-cross-origin"
+		# Deny browser APIs the app does not use. Reduces blast radius of an
+		# XSS landing in a privileged origin: a payload cannot silently turn
+		# on the microphone or read geolocation.
+		Permissions-Policy "camera=(), microphone=(), geolocation=()"
 		-Server
 	}
 }