Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions backend/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
### Configurable Security Headers

The following response headers can be enabled or disabled through environment settings:

- ENABLE_X_FRAME_OPTIONS
- ENABLE_X_CONTENT_TYPE_OPTIONS
- ENABLE_HSTS
- ENABLE_CSP
- ENABLE_DNS_PREFETCH_CONTROL
- ENABLE_CROSS_DOMAIN_POLICIES
2 changes: 2 additions & 0 deletions backend/app/core/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,8 @@ class Settings(BaseSettings):
ENABLE_CSP: bool = True
ENABLE_X_FRAME_OPTIONS: bool = True
ENABLE_X_CONTENT_TYPE_OPTIONS: bool = True
ENABLE_DNS_PREFETCH_CONTROL: bool = True
ENABLE_CROSS_DOMAIN_POLICIES: bool = True

# ==========================================================
# Celery
Expand Down
13 changes: 11 additions & 2 deletions backend/app/middleware/security_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,11 @@ async def dispatch(

response = await call_next(request)

response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
if settings.ENABLE_X_CONTENT_TYPE_OPTIONS:
response.headers["X-Content-Type-Options"] = "nosniff"

if settings.ENABLE_X_FRAME_OPTIONS:
response.headers["X-Frame-Options"] = "DENY"
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"

response.headers["Permissions-Policy"] = (
Expand All @@ -32,6 +35,12 @@ async def dispatch(

response.headers["Cross-Origin-Embedder-Policy"] = "require-corp"

if settings.ENABLE_CROSS_DOMAIN_POLICIES:
response.headers["X-Permitted-Cross-Domain-Policies"] = "none"

if settings.ENABLE_DNS_PREFETCH_CONTROL:
response.headers["X-DNS-Prefetch-Control"] = "off"

if settings.ENABLE_HSTS:
response.headers["Strict-Transport-Security"] = (
"max-age=63072000; includeSubDomains; preload"
Expand Down
Loading