site: add P0 security response headers to .htaccess
Engineering guardrails for AI coding agents
Brought to you by:
mnemehq
Originally created by: TheoV823
Adds four passive security response headers to site/.htaccess, inside the existing <IfModule mod_headers.c> block:
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
This is the low-risk P0 subset of a larger security-headers finding. HSTS and CSP are deliberately excluded — HSTS is hard to reverse once browser-cached, and a strict CSP can block GA4/inline SVG/fonts. Both warrant separate, higher-care rollouts.
site/.htaccess changed (+7 lines, 0 deletions).Vary block and the cache FilesMatch blocks, still inside the mod_headers guard.mod_headers.c block (lines 60–63; guard spans 51–79).Header always set NAME "VALUE"; <IfModule>/<FilesMatch> tags balanced 7/7; quotes balanced.scripts/check_encoding.py: OK (380 files scanned).scripts/seo_check.py: runs clean (169 pages, exit 0); checker does not inspect .htaccess and no HTML changed, so no regression.configtest was not run; structural + grammar validation used instead. Worth a quick post-deploy header check against the live site.main triggers deploy-site.yml (paths: site/**) → cPanel API upload + Cloudflare purge → headers go live on mnemehq.com within minutes. This is a real production change.X-Frame-Options: SAMEORIGIN, which blocks third-party sites from embedding mnemehq.com pages in an iframe. No known/intended external embeds exist for the marketing site — please confirm before merge if any partner/demo embed relies on framing.git revert <sha> on main); the next deploy removes the headers, and because there's no HSTS nothing persists in browsers — removal is complete on the next request.site/.htaccess and redeploy..htaccess returns site-wide HTTP 500. Mitigated here by structural + grammar validation; if it ever happens, revert is the fast fix.After deploy, confirm headers on both apex and www:
curl -sI https://mnemehq.com/ | grep -iE 'x-frame|x-content-type|referrer-policy|permissions-policy'
curl -sI https://www.mnemehq.com/ | grep -iE 'x-frame|x-content-type|referrer-policy|permissions-policy'
Do not merge yet — opened for review.
Originally posted by: github-actions[bot]
mneme self-governance check
Mode:
warn- verdicts are visible but do not block merge. Rollout plan:.mneme/README.md.Summary: 0 pass, 0 warn, 1 fail, 0 unknown
site/.htaccessDetails
FAIL [site_perf_001] anti_pattern "synchronous Google Fonts CSS link in " -- trigger: fonts Site pages with inline JavaScript must defer animations and pre-size dynamic containers to prevent CLS and TBT regressions on mobile. WARN ADR_CHANGED [ADR-001] ADR-001 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-001-positioning-and-messaging.md WARN ADR_CHANGED [ADR-002] ADR-002 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-002-repo-boundary-internal-tooling.md WARN ADR_CHANGED [ADR-003] ADR-003 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-003-site-publishing-guidelines.md WARN ADR_CHANGED [ADR-004] ADR-004 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-004-brand-name-mneme-hq.md WARN ADR_CHANGED [ADR-005] ADR-005 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-005-brand-vs-package-namespace-enforcement.md WARN ADR_CHANGED [ADR-006] ADR-006 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-006-insights-article-seo-requirements.md WARN ADR_CHANGED [ADR-007] ADR-007 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-007-og-image-generation.md WARN ADR_CHANGED [ADR-008] ADR-008 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-008-persona-buyer-page-content-standards.md WARN ADR_CHANGED [ADR-009] ADR-009 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-009-explicit-text-encoding-in-automation.md WARN ADR_CHANGED [ADR-010] ADR-010 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-010-automation-artifact-governance.md WARN ADR_CHANGED [ADR-011] ADR-011 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-011-knowledge-graph-content-architecture.md WARN ADR_CHANGED [ADR-012] ADR-012 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-012-conceptual-authority-discipline.md WARN ADR_CHANGED [ADR-013] ADR-013 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-013-external-platform-presence-standards.md WARN ADR_CHANGED [ADR-014] ADR-014 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-014-harness-complementary-positioning-vocabulary.md WARN ADR_CHANGED [ADR-015] ADR-015 source file changed since import (hash mismatch). Re-run `mneme adr import` to refresh the imported decision. source: ../docs/adr/ADR-015-report-anchored-insight-titles.md Result: FAILsite/.htaccess— FAILGenerated by
.github/workflows/mneme-check.yml· query = PR title + file path · scope = repo-governance paths.