From 9209b778982ae698e53755fe4f3068bbab040cf4 Mon Sep 17 00:00:00 2001
From: habakan <kansukebano@gmail.com>
Date: Sun, 1 Mar 2026 10:02:09 +0900
Subject: [PATCH] feat(gateway): add Permissions-Policy header to default
 security headers

---
 src/gateway/http-common.test.ts | 49 +++++++++++++++++++++++++++++++++
 src/gateway/http-common.ts      |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 src/gateway/http-common.test.ts

diff --git a/src/gateway/http-common.test.ts b/src/gateway/http-common.test.ts
new file mode 100644
index 00000000000..3292baed8c4
--- /dev/null
+++ b/src/gateway/http-common.test.ts
@@ -0,0 +1,49 @@
+import { describe, expect, it } from "vitest";
+import { setDefaultSecurityHeaders } from "./http-common.js";
+import { makeMockHttpResponse } from "./test-http-response.js";
+
+describe("setDefaultSecurityHeaders", () => {
+  it("sets X-Content-Type-Options", () => {
+    const { res, setHeader } = makeMockHttpResponse();
+    setDefaultSecurityHeaders(res);
+    expect(setHeader).toHaveBeenCalledWith("X-Content-Type-Options", "nosniff");
+  });
+
+  it("sets Referrer-Policy", () => {
+    const { res, setHeader } = makeMockHttpResponse();
+    setDefaultSecurityHeaders(res);
+    expect(setHeader).toHaveBeenCalledWith("Referrer-Policy", "no-referrer");
+  });
+
+  it("sets Permissions-Policy", () => {
+    const { res, setHeader } = makeMockHttpResponse();
+    setDefaultSecurityHeaders(res);
+    expect(setHeader).toHaveBeenCalledWith(
+      "Permissions-Policy",
+      "camera=(), microphone=(), geolocation=()",
+    );
+  });
+
+  it("sets Strict-Transport-Security when provided", () => {
+    const { res, setHeader } = makeMockHttpResponse();
+    setDefaultSecurityHeaders(res, {
+      strictTransportSecurity: "max-age=63072000; includeSubDomains; preload",
+    });
+    expect(setHeader).toHaveBeenCalledWith(
+      "Strict-Transport-Security",
+      "max-age=63072000; includeSubDomains; preload",
+    );
+  });
+
+  it("does not set Strict-Transport-Security when not provided", () => {
+    const { res, setHeader } = makeMockHttpResponse();
+    setDefaultSecurityHeaders(res);
+    expect(setHeader).not.toHaveBeenCalledWith("Strict-Transport-Security", expect.anything());
+  });
+
+  it("does not set Strict-Transport-Security for empty string", () => {
+    const { res, setHeader } = makeMockHttpResponse();
+    setDefaultSecurityHeaders(res, { strictTransportSecurity: "" });
+    expect(setHeader).not.toHaveBeenCalledWith("Strict-Transport-Security", expect.anything());
+  });
+});
diff --git a/src/gateway/http-common.ts b/src/gateway/http-common.ts
index 7e0b84ab5d7..fdbf70b3594 100644
--- a/src/gateway/http-common.ts
+++ b/src/gateway/http-common.ts
@@ -14,6 +14,7 @@ export function setDefaultSecurityHeaders(
 ) {
   res.setHeader("X-Content-Type-Options", "nosniff");
   res.setHeader("Referrer-Policy", "no-referrer");
+  res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
   const strictTransportSecurity = opts?.strictTransportSecurity;
   if (typeof strictTransportSecurity === "string" && strictTransportSecurity.length > 0) {
     res.setHeader("Strict-Transport-Security", strictTransportSecurity);