/**
 * Minimal Express-compatible interface so this module stays
 * framework-agnostic (mirrors the pattern in `utils/disableConditionalCaching.ts`).
 */
interface ResponseLike {
    send(body: string): unknown;
    setHeader(name: string, value: number | string | readonly string[]): unknown;
}
/**
 * Five security headers that match the owox security DoD.
 *
 * Kept as a frozen list so callers can iterate, inspect, or reference specific
 * entries in tests. Values are pinned to the exact strings required — do not
 * tweak them here without updating the DoD and integrators.
 */
export declare const SECURITY_HEADERS: readonly (readonly [string, string])[];
/**
 * Writes all five security headers to the response.
 */
export declare function applySecurityHeaders(res: ResponseLike): void;
/**
 * Sends an HTML string response with the five DoD security headers attached.
 *
 * Use this at every IDP / SSR callsite that renders server-side HTML (sign-in
 * pages, magic-link confirmation, password setup, admin dashboard, etc.) so
 * that security headers land *only* on HTML responses — not on adjacent JSON
 * endpoints under the same `/auth/*` prefix.
 */
export declare function sendSecureHtml(res: ResponseLike, html: string): void;
export {};
//# sourceMappingURL=security-headers.d.ts.map