Disagreement · 0982a39f-anthropic-0

Middleware matcher still applies security headers to image/asset routes via negative lookahead on URL suffix only

solo Opus

repo e24ef98c·PR #6·reviewed 2 weeks ago

Opus finding

Middleware matcher still applies security headers to image/asset routes via negative lookahead on URL suffix only

lowmaintainabilitymedium

apps/web/middleware.ts:52-56

The matcher excludes png/svg/ico via suffix patterns but leaves jpg, jpeg, gif, webp, woff/woff2, css, js, and map files in scope. That is probably intentional (the comment says API routes should benefit), but as written the asset-exclusion is inconsistent: an SVG is excluded while a JPG is not, despite both being non-HTML responses where CSP/HSTS provide little value and where misconfiguration (e.g., a CDN re-serving with stale headers) could cause confusion. Minor consistency issue worth flagging.

Recommendation

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

lowtest-gap
Middleware test shares a single response across all `it` blocks, defeating per-test isolation
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗