filmil · filmil · Apr 26, 2026 · Apr 25, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -2,3 +2,7 @@
 **Vulnerability:** Lack of security headers (`Content-Security-Policy`, `X-Content-Type-Options`, `X-Frame-Options`, `Strict-Transport-Security`)
 **Learning:** `http.Serve` does not implement standard security headers natively.
 **Prevention:** Always wrap `http.ServeMux` or route handlers with an HTTP middleware that adds essential security headers.
+## 2025-04-25 - Enhance Security Headers
+**Vulnerability:** Missing strict Referrer-Policy header.
+**Learning:** While the app has basic security headers (CSP, X-Content-Type-Options, etc.), adding `Referrer-Policy: strict-origin-when-cross-origin` helps prevent leaking potentially sensitive URL information to external domains when cross-origin links are clicked.
+**Prevention:** Include a comprehensive set of security headers for all web endpoints as a standard defense-in-depth practice.
diff --git a/internal/server/http_server.go b/internal/server/http_server.go
@@ -307,6 +307,7 @@ func withSecurityHeaders(next http.Handler) http.Handler {
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")
 		w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
 		next.ServeHTTP(w, r)
 	})
 }