tjamescouch · tjamescouch · Feb 6, 2026 · Feb 6, 2026
diff --git a/mabp-api/index.js b/mabp-api/index.js
@@ -3,8 +3,20 @@ const cors = require('cors');
 const marketplaceRouter = require('./marketplace-aggregator');
 
 const app = express();
+app.disable('x-powered-by');
 app.use(cors());
-app.use(express.json());
+app.use(express.json({ limit: '64kb' }));
+app.use((req, res, next) => {
+  res.set({
+    'Strict-Transport-Security': 'max-age=63072000; includeSubDomains',
+    'X-Frame-Options': 'DENY',
+    'X-Content-Type-Options': 'nosniff',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'X-XSS-Protection': '0',
+    'Content-Security-Policy': "default-src 'self'"
+  });
+  next();
+});
 
 // Mount marketplace aggregator
 app.use('/api/marketplace', marketplaceRouter);

diff --git a/mabp-dashboard/server.js b/mabp-dashboard/server.js
@@ -4,12 +4,27 @@ const path = require('path');
 
 const PORT = 5050;
 
+const securityHeaders = {
+  'Strict-Transport-Security': 'max-age=63072000; includeSubDomains',
+  'X-Frame-Options': 'DENY',
+  'X-Content-Type-Options': 'nosniff',
+  'Content-Security-Policy': "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'",
+  'Referrer-Policy': 'strict-origin-when-cross-origin',
+  'X-XSS-Protection': '0'
+};
+
 const server = http.createServer((req, res) => {
+  if (req.method !== 'GET' && req.method !== 'HEAD') {
+    res.writeHead(405, { ...securityHeaders, 'Allow': 'GET, HEAD' });
+    res.end('Method Not Allowed');
+    return;
+  }
+
   if (req.url === '/' || req.url === '/index.html') {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.writeHead(200, { ...securityHeaders, 'Content-Type': 'text/html' });
     res.end(fs.readFileSync(path.join(__dirname, 'index.html')));
   } else {
-    res.writeHead(404);
+    res.writeHead(404, securityHeaders);
     res.end('Not found');
   }
 });