From c82ab5c7f511d44418d3ef1de99d524843a77380 Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Thu, 2 Jul 2026 14:41:08 -0400 Subject: [PATCH] chore(contrib): security headers in example nginx/caddy configs (P6-4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add HSTS + Permissions-Policy + the standard X-Frame/X-Content/Referrer set to the contrib nginx (443 block) and caddy examples; fix the caddy SPA try_files fallback (stray space). Generic (no homeserver-specific CSP). The real prod config lives in the matrix repo. P6-4 trimmed to headers only — patch-package / types-drift / build-config skipped (see LOTUS_TODO). Co-Authored-By: Claude Opus 4.8 --- LOTUS_BUGS.md | 1 + LOTUS_TODO.md | 9 ++++++++- contrib/caddy/caddyfile | 13 ++++++++++++- contrib/nginx/cinny.domain.tld.conf | 9 +++++++++ 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/LOTUS_BUGS.md b/LOTUS_BUGS.md index 8f68d695a..b50940495 100644 --- a/LOTUS_BUGS.md +++ b/LOTUS_BUGS.md @@ -45,6 +45,7 @@ Implemented and gate-green; confirm each per `LOTUS_TESTING.md`, then delete the | P6-1 | Desktop Linux parity (no-sleep in calls, launcher badge), autostart toggle, tray Do-Not-Disturb | `native/power.rs`, `lib.rs`, `useTauriDnd`, `General.tsx` | Linux desktop: no display sleep during a call; tray DND silences notifications; launch-on-login persists; Unity badge (Ubuntu); DND toggle polarity | | P6-2 | EC deafen/screenshare-audio-mute via `io.lotus.set_deafen` (retires the `