From e1a5f077e072eba49aa867d663f70e36fe4acbc4 Mon Sep 17 00:00:00 2001 From: ayeshafaeza-2427 Date: Fri, 10 Jul 2026 20:47:26 +0530 Subject: [PATCH] feat(security): make security headers configurable --- backend/README.md | 10 ++++++++++ backend/app/core/config.py | 2 ++ backend/app/middleware/security_headers.py | 13 +++++++++++-- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/backend/README.md b/backend/README.md index e69de29b..4a8626d0 100644 --- a/backend/README.md +++ b/backend/README.md @@ -0,0 +1,10 @@ +### Configurable Security Headers + +The following response headers can be enabled or disabled through environment settings: + +- ENABLE_X_FRAME_OPTIONS +- ENABLE_X_CONTENT_TYPE_OPTIONS +- ENABLE_HSTS +- ENABLE_CSP +- ENABLE_DNS_PREFETCH_CONTROL +- ENABLE_CROSS_DOMAIN_POLICIES \ No newline at end of file diff --git a/backend/app/core/config.py b/backend/app/core/config.py index a394d7de..99b984c0 100644 --- a/backend/app/core/config.py +++ b/backend/app/core/config.py @@ -127,6 +127,8 @@ class Settings(BaseSettings): ENABLE_CSP: bool = True ENABLE_X_FRAME_OPTIONS: bool = True ENABLE_X_CONTENT_TYPE_OPTIONS: bool = True + ENABLE_DNS_PREFETCH_CONTROL: bool = True + ENABLE_CROSS_DOMAIN_POLICIES: bool = True # ========================================================== # Celery diff --git a/backend/app/middleware/security_headers.py b/backend/app/middleware/security_headers.py index ef72633e..9ec370a0 100644 --- a/backend/app/middleware/security_headers.py +++ b/backend/app/middleware/security_headers.py @@ -18,8 +18,11 @@ async def dispatch( response = await call_next(request) - response.headers["X-Content-Type-Options"] = "nosniff" - response.headers["X-Frame-Options"] = "DENY" + if settings.ENABLE_X_CONTENT_TYPE_OPTIONS: + response.headers["X-Content-Type-Options"] = "nosniff" + + if settings.ENABLE_X_FRAME_OPTIONS: + response.headers["X-Frame-Options"] = "DENY" response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" response.headers["Permissions-Policy"] = ( @@ -32,6 +35,12 @@ async def dispatch( response.headers["Cross-Origin-Embedder-Policy"] = "require-corp" + if settings.ENABLE_CROSS_DOMAIN_POLICIES: + response.headers["X-Permitted-Cross-Domain-Policies"] = "none" + + if settings.ENABLE_DNS_PREFETCH_CONTROL: + response.headers["X-DNS-Prefetch-Control"] = "off" + if settings.ENABLE_HSTS: response.headers["Strict-Transport-Security"] = ( "max-age=63072000; includeSubDomains; preload"