Skip to content

docs(security): response-header hardening (app-level controls + #1567 gap)#560

Draft
kriszyp wants to merge 2 commits into
mainfrom
kris/http-header-hardening-docs
Draft

docs(security): response-header hardening (app-level controls + #1567 gap)#560
kriszyp wants to merge 2 commits into
mainfrom
kris/http-header-hardening-docs

Conversation

@kriszyp

@kriszyp kriszyp commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

Adds a dedicated Response Header Hardening page to the Security reference (reference/security/response-headers.md), framed around the controls that actually work on the primary Harper deployment model — Harper-hosted (Fabric), where there is no customer-controlled reverse proxy / CDN / edge to configure.

Framing (revised after reviewer feedback):

  1. Lead with the app-level mechanism. A custom Resource handler can set response headers via context.responseHeaders.set(name, value) (from getContext() on HTTP-triggered requests). Example sets X-Content-Type-Options: nosniff and notes where frame-options / CSP go. This is accurate to responses that flow through a custom Resource handler.
  2. State the gap clearly. There is currently no built-in/config way to apply these headers to Harper's auto-generated REST / table / GraphQL endpoints, and no global default. Tracked in HarperFast/harper#1567 — "Provide a built-in way to set security/cache response headers across all HTTP surfaces." Framed as: for now, add headers from custom Resources; global/auto-endpoint coverage is #1567.
  3. Edge config demoted to a fallback. The reverse-proxy/Nginx guidance is kept but flagged as applicable only to self-hosted deployments (not Fabric), with a trimmed 3-line snippet.
  4. Caching of authenticated responses reframed around app/platform controls (set Cache-Control: no-store from a Resource; key on identity if caching), with the missing built-in cache-control also referencing #1567.
  5. Style fixes: forward-compat note now addresses engineers directly (per Kris's style guide) instead of a meta reader-note; X-Frame-Options guidance kept conservative but explicitly app-specific.

Placement: split into its own page rather than wedging into the auth-focused Configuration page. Added to the Reference sidebar (sidebarsReference.ts) under Security, and cross-linked from the auth Configuration page and reference/rest/headers.md.

Scope / what's deliberately NOT here

Identified during exploratory QA (D-177 / header-hardening theme) but tracked as separate engineering fixes and intentionally excluded — this PR is guidance only:

Gap Tracking issue
CORS Vary: Origin missing harper#1518
Auth responses need Cache-Control/Vary: Authorization at origin harper#1565
Session cookie SameSite/TTL hardening harper#1564
304 Not Modified drops Vary harper#1566
Built-in header/cache-control across all HTTP surfaces harper#1567

Files changed

  • reference/security/response-headers.mdnew page
  • reference/security/configuration.md — cross-link under Related (previous inline section removed)
  • reference/rest/headers.md — cross-link in See Also
  • sidebarsReference.ts — sidebar entry

Test plan

  • Docusaurus renders the new page; sidebar entry appears under Security
  • Confirm the Resource responseHeaders.set() example matches current API (getContext()responseHeaders)
  • Verify all cross-links resolve
  • Confirm #1567 gap framing reads accurately for auto-generated REST/GraphQL

Drafted by KrAIs (Kris's QA agent) from exploratory QA campaign findings D-177 + the header-hardening theme. Reworked per reviewer feedback (Fabric hosting has no customer edge). Opened as DRAFT for Kris's review before merging.

🤖 Generated with Claude Code

Add guidance for setting browser security-hardening headers (X-Content-Type-Options,
X-Frame-Options, CSP, Referrer-Policy, HSTS, Permissions-Policy, Cross-Origin-*)
at a reverse proxy/CDN rather than at the Harper origin. Also covers the risk of
shared-cache storing authenticated/allowRead-gated responses when Harper does not
emit Cache-Control.

Cross-linked from reference/rest/headers.md See Also section.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds documentation on HTTP response header hardening and caching of authenticated responses, explaining how to configure browser security headers and cache-control at the edge layer. The review feedback points out a drafting instruction left in the text and suggests rephrasing it to be user-facing.

Comment thread reference/security/configuration.md Outdated

CSP values are application-specific and intentionally omitted here — set them based on the origins your application legitimately loads scripts, styles, and media from.

> These defaults may tighten in future Harper releases. Frame the edge configuration as a deployment baseline, not a permanent substitute for origin-level headers.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This sentence contains an imperative drafting instruction ("Frame the edge configuration...") that appears to have been left in the final text by mistake. It should be rephrased to be user-facing.

Suggested change
> These defaults may tighten in future Harper releases. Frame the edge configuration as a deployment baseline, not a permanent substitute for origin-level headers.
> These defaults may tighten in future Harper releases. Treat this edge configuration as a deployment baseline, not a permanent substitute for origin-level headers.

@github-actions github-actions Bot temporarily deployed to pr-560 July 2, 2026 12:20 Inactive
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

🚀 Preview Deployment

Your preview deployment is ready!

🔗 Preview URL: https://preview.harper-documentation.harperfabric.com/pr-560

This preview will update automatically when you push new commits.

…trols

Lead with the mechanism that works on Harper-hosted (Fabric) deployments: a custom
Resource can set response headers via context.responseHeaders.set(). Clearly state
the gap — no built-in/config way to apply headers to auto-generated REST/GraphQL
endpoints and no global default (tracked in HarperFast/harper#1567) — and demote the
reverse-proxy/CDN guidance to a self-hosted fallback.

Split into a dedicated reference/security/response-headers.md page (added to the
Reference sidebar), replacing the section previously wedged into the auth-config page.
Cross-linked from the auth Configuration page and rest/headers.md.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@kriszyp kriszyp changed the title docs(security): HTTP response-header hardening at the edge docs(security): response-header hardening (app-level controls + #1567 gap) Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

🚀 Preview Deployment

Your preview deployment is ready!

🔗 Preview URL: https://preview.harper-documentation.harperfabric.com/pr-560

This preview will update automatically when you push new commits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant