POPFile Mojolicious API Exposed: Security Headers Missing at Core File

A critical security gap has been identified in POPFile's Mojolicious-based API layer. The application's dispatch handler at `POPFile/API.pm:205` fails to set any HTTP security headers, leaving the software exposed to multiple browser-based attack vectors.

The code currently lacks six foundational response headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy. Without these protections, the application is vulnerable to clickjacking, MIME-type sniffing attacks, and cross-site scripting exploitation. Security researchers note that if a single-page application serves from the same origin, a reflected XSS flaw could have amplified impact across user sessions.

The proposed remediation involves adding an `after_dispatch` hook within the application's initialization routine. The hook would inject headers on every response: X-Content-Type-Options set to nosniff, X-Frame-Options set to DENY, Referrer-Policy set to no-referrer, and a Content-Security-Policy restricting resource loading to same-origin sources. While the fix is straightforward in implementation, the vulnerability carries real-world risk for any deployment handling sensitive data or authenticated sessions. Teams running affected POPFile versions should prioritize applying the patch after reviewing local deployment configurations.