Security Headers & CSRF
Every API response includes security headers that protect against common web vulnerabilities. This page covers the headers Thallus sets, how CSRF and CORS are handled, and how security behavior differs across environments.
Security headers
The following headers are added to every response by the security middleware:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000
Permissions-Policy: camera=(), microphone=(), ...
| Header | Value | Purpose |
|---|---|---|
X-Content-Type-Options |
nosniff |
Prevents MIME type sniffing |
X-Frame-Options |
DENY |
Blocks all iframe embedding |
X-XSS-Protection |
1; mode=block |
Enables browser XSS filtering |
Referrer-Policy |
strict-origin-when-cross-origin |
Limits referrer information to origin for cross-origin requests |
Strict-Transport-Security |
max-age=31536000 |
Enforces HTTPS for 1 year (production only) |
Permissions-Policy |
camera=(), microphone=(), ... |
Disables unused browser features |
Content Security Policy
A Content Security Policy (CSP) header is enforced on all responses, restricting which resources the browser can load. This reduces the risk of XSS and data injection attacks. Resources are limited to the same origin by default, with minimal exceptions for required third-party services.
CSRF protection
Cross-Site Request Forgery protection is enforced on all state-changing requests (POST, PUT, PATCH, DELETE) that use cookie-based authentication.
How it works
- The middleware checks if the request uses cookie-based authentication
- For state-changing methods, it validates the request origin
- If the origin check fails, the request is rejected with a 403
When CSRF applies
| Condition | CSRF checked? |
|---|---|
| Cookie-authenticated POST/PUT/PATCH/DELETE | Yes |
| API key authenticated requests | No — API keys are not cookies |
| GET/HEAD/OPTIONS requests | No — safe methods are exempt |
| Requests without cookies | No — no cookie to protect |
If you authenticate exclusively with API keys (via the X-API-Key header), CSRF protection does not apply to your requests.
CORS configuration
Cross-Origin Resource Sharing is configured with an explicit allowlist of origins — Thallus does not use wildcard (*) origins.
| Setting | Value |
|---|---|
| Allowed origins | Explicitly listed per environment |
| Allow credentials | Yes |
| Allowed methods | All |
| Allowed headers | Authorization, Content-Type, X-API-Key, X-Correlation-ID |
Origins by environment
| Environment | Allowed origins |
|---|---|
| Development | Local development server origins |
| Test | Test domain configured per deployment |
| Production | Production app domain only (e.g., https://app.thallus.ai) |
Requests from origins not in the allowlist will fail the CORS preflight check, and the browser will block the response.
Environment differences
In production, security is enforced at the highest level:
| Feature | Production Behavior |
|---|---|
| HSTS | Enabled (1 year) |
| Secure cookies | Yes — HTTPS required |
| SameSite cookies | strict |
| Cookie path | Scoped to authentication endpoints |
| CORS origins | Production domain only |
| CSRF enforcement | Enabled (strict origin validation) |
Cookies require HTTPS and are scoped to authentication endpoints for minimal exposure.
Request tracing
Every request is assigned a correlation ID for tracing through logs and audit records.
| Header | Description |
|---|---|
X-Correlation-ID |
Unique identifier linking a request to its audit trail |
The correlation ID is generated automatically by the audit middleware and included in log entries, error responses, and audit records. When troubleshooting, provide the correlation ID to your administrator for faster investigation.
You can also pass your own X-Correlation-ID header — if present, the server uses your value instead of generating one. This is useful for tracking requests across multiple services in your integration.
Protection layers
Thallus applies multiple layers of security to every request:
These layers work together to protect both the API and browser-based clients. API key integrations bypass CSRF (which only applies to cookie-based auth) but are still subject to all other protections.
Related pages
- API Authentication — JWT and API key authentication details
- Rate Limiting — request throttling and lockout rules
- Error Handling — 403 and other security-related error responses
- Audit Logs — request tracing and correlation IDs