feat(security): make security headers configurable#224
Conversation
There was a problem hiding this comment.
🎉 Thank you for your first Pull Request to DevLink!
We appreciate your contribution to our open-source community.
Before your PR is reviewed, please ensure:
- ✅ The project builds successfully.
- ✅ Your code follows the project's coding standards.
- ✅ You have tested your changes.
- ✅ Related documentation has been updated if necessary.
Our maintainers will review your PR as soon as possible.
Thank you for helping improve DevLink! 💙
|
CI job is failing. |
|
Hi! @nensii21 I checked the failing Backend CI job. The formatter (black --check) is reporting formatting issues in files such as backend/app/core/celery_app.py and several notification-related files, which are not part of this PR. The changes in this PR are limited to: backend/app/core/config.py Could you please confirm whether the CI is picking up formatting issues from the base branch? I'm happy to make any changes needed if there's something specific in my PR. |
Description
This PR improves the configurability of backend security headers while preserving the existing default behavior.
Changes
X-Content-Type-Optionsconfigurable usingENABLE_X_CONTENT_TYPE_OPTIONS.X-Frame-Optionsconfigurable usingENABLE_X_FRAME_OPTIONS.X-Permitted-Cross-Domain-Policies.X-DNS-Prefetch-Control.Why
The project already includes core security mechanisms such as CSP, HSTS, CORS, and rate limiting. This PR enhances flexibility by allowing additional security headers to be enabled or disabled through configuration without changing the default behavior.
Closes #105