[Security] Missing security headers on API server responses (CSP, X-Frame-Options, HSTS)

[DataAdvisory]

Summary

The API server middleware (gateway/platforms/api_server.py, lines 231-246) only sets two security headers:

• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin

Several important security headers are missing.

Missing Headers

Header	Purpose	Recommended Value
X-Frame-Options	Prevent clickjacking	DENY
Content-Security-Policy	Prevent XSS and data injection	default-src 'none' (for API responses)
Strict-Transport-Security	Force HTTPS	max-age=31536000; includeSubDomains (when TLS enabled)
X-XSS-Protection	Legacy XSS prevention	0 (disable, rely on CSP instead)
Permissions-Policy	Restrict browser features	camera=(), microphone=(), geolocation=()

Attack Vector

Without these headers, when the API server is accessed from a browser (e.g., via Open WebUI or custom frontends):

• Clickjacking: Responses can be framed by malicious sites
• Content injection: Missing CSP allows broader attack surface
• Downgrade attacks: Missing HSTS allows HTTP downgrade when TLS is in use

Severity

MEDIUM — Browser-facing attack vectors when API is used with web frontends.

Recommendation

Add to the security headers middleware at line 239:

response.headers['X-Frame-Options'] = 'DENY'
response.headers['Content-Security-Policy'] = "default-src 'none'"
response.headers['Permissions-Policy'] = 'camera=(), microphone=(), geolocation=()'
# Only add HSTS when TLS is configured:
# response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'

Environment

• Hermes Agent latest (main branch, cloned 2026-04-11)
• Identified via code review and HTTP response inspection

[alt-glitch]

Related to #16456 which requests the same headers on the dashboard web server. PR #7553 (closed) bundled a fix for this. PR #3576 (merged) added the initial subset of headers.