From 5bad4579220e22932cbef02bded0d122d60dc93d Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Wed, 11 Mar 2026 00:54:41 +0000
Subject: [PATCH] fix: remove wildcard CORS from nginx electrs-status, verify
 security headers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security headers already present in nginx config (X-Content-Type-Options,
X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy). Removed
Access-Control-Allow-Origin: * from electrs-status — CORS is now handled
by the backend with origin validation. Deployed and verified all headers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 image-recipe/configs/nginx-archipelago.conf | 4 ++--
 loop/plan.md                                | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/image-recipe/configs/nginx-archipelago.conf b/image-recipe/configs/nginx-archipelago.conf
index fc049190..d5f98113 100644
--- a/image-recipe/configs/nginx-archipelago.conf
+++ b/image-recipe/configs/nginx-archipelago.conf
@@ -126,7 +126,7 @@ server {
         proxy_pass http://127.0.0.1:5678/electrs-status;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
-        add_header Access-Control-Allow-Origin *;
+        # CORS handled by backend
     }
 
     # Proxy apps that set X-Frame-Options - strip header so iframe works
@@ -499,7 +499,7 @@ server {
         proxy_pass http://127.0.0.1:5678/electrs-status;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
-        add_header Access-Control-Allow-Origin *;
+        # CORS handled by backend
     }
 
     location /rpc/ {
diff --git a/loop/plan.md b/loop/plan.md
index 32a69664..5116fa8c 100644
--- a/loop/plan.md
+++ b/loop/plan.md
@@ -60,7 +60,7 @@
 
 - [x] **BACK-06** — Fix CORS policy: restrict to same-origin. Address the High-severity CORS finding. In `core/archipelago/src/server.rs`, change `Access-Control-Allow-Origin: *` to same-origin only (no CORS header for same-origin requests, or explicit origin matching for allowed origins). **Acceptance**: Cross-origin requests from unknown origins are rejected.
 
-- [ ] **BACK-07** — Add Nginx security headers. In `image-recipe/configs/nginx-archipelago.conf`, add: `X-Frame-Options: SAMEORIGIN`, `X-Content-Type-Options: nosniff`, `Content-Security-Policy` with appropriate directives, `Referrer-Policy: strict-origin-when-cross-origin`. Sync to server. **Acceptance**: `curl -I http://192.168.1.228` shows all security headers.
+- [x] **BACK-07** — Add Nginx security headers. In `image-recipe/configs/nginx-archipelago.conf`, add: `X-Frame-Options: SAMEORIGIN`, `X-Content-Type-Options: nosniff`, `Content-Security-Policy` with appropriate directives, `Referrer-Policy: strict-origin-when-cross-origin`. Sync to server. **Acceptance**: `curl -I http://192.168.1.228` shows all security headers.
 
 #### Sprint 4: Quality Baseline (Week 7-8)