Skip to content

feat(security): make security headers configurable#224

Merged
nensii21 merged 1 commit into
nensii21:mainfrom
ayeshafaeza-2427:security-issue-105
Jul 12, 2026
Merged

feat(security): make security headers configurable#224
nensii21 merged 1 commit into
nensii21:mainfrom
ayeshafaeza-2427:security-issue-105

Conversation

@ayeshafaeza-2427

Copy link
Copy Markdown
Contributor

Description

This PR improves the configurability of backend security headers while preserving the existing default behavior.

Changes

  • Made X-Content-Type-Options configurable using ENABLE_X_CONTENT_TYPE_OPTIONS.
  • Made X-Frame-Options configurable using ENABLE_X_FRAME_OPTIONS.
  • Added configurable support for X-Permitted-Cross-Domain-Policies.
  • Added configurable support for X-DNS-Prefetch-Control.
  • Added documentation for configurable security header settings in the backend README.

Why

The project already includes core security mechanisms such as CSP, HSTS, CORS, and rate limiting. This PR enhances flexibility by allowing additional security headers to be enabled or disabled through configuration without changing the default behavior.

Closes #105

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Thank you for your first Pull Request to DevLink!

We appreciate your contribution to our open-source community.

Before your PR is reviewed, please ensure:

  • ✅ The project builds successfully.
  • ✅ Your code follows the project's coding standards.
  • ✅ You have tested your changes.
  • ✅ Related documentation has been updated if necessary.

Our maintainers will review your PR as soon as possible.

Thank you for helping improve DevLink! 💙

@nensii21

Copy link
Copy Markdown
Owner

CI job is failing.

@ayeshafaeza-2427

Copy link
Copy Markdown
Contributor Author

Hi! @nensii21 I checked the failing Backend CI job. The formatter (black --check) is reporting formatting issues in files such as backend/app/core/celery_app.py and several notification-related files, which are not part of this PR. The changes in this PR are limited to:

backend/app/core/config.py
backend/app/middleware/security_headers.py
backend/README.md

Could you please confirm whether the CI is picking up formatting issues from the base branch? I'm happy to make any changes needed if there's something specific in my PR.

@nensii21 nensii21 merged commit da11663 into nensii21:main Jul 12, 2026
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security Headers

2 participants