wrongmove/api/security_headers.py

"""Security headers middleware."""
from starlette.middleware.base import BaseHTTPMiddleware
from starlette.requests import Request
from starlette.responses import Response


class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    """Add standard security headers to every response."""

    async def dispatch(self, request: Request, call_next) -> Response:  # type: ignore[no-untyped-def]
        response = await call_next(request)
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
        response.headers["Content-Security-Policy"] = (
            "default-src 'self'; "
            "script-src 'self'; "
            "style-src 'self' 'unsafe-inline'; "
            "connect-src 'self' https://*.mapbox.com; "
            "img-src 'self' data: https://*.mapbox.com https://media.rightmove.co.uk; "
            "frame-ancestors 'none'"
        )
        # Only add HSTS when behind TLS-terminating proxy
        if request.headers.get("x-forwarded-proto") == "https":
            response.headers["Strict-Transport-Security"] = (
                "max-age=63072000; includeSubDomains"
            )
        return response
Harden backend security: IDOR fix, error sanitization, rate limiter fallback, security headers - Fix task status IDOR by adding ownership check; suppress traceback/error in production - Passkey routes: return generic error messages for internal exceptions, keep ValueError for user-facing - JWT_SECRET and OIDC_CLIENT_ID: raise RuntimeError in production when using defaults - Rate limiter: add in-memory fallback counter when Redis is unavailable - Fix X-Forwarded-For IP spoofing with trusted_proxy_depth (rightmost-N selection) - Add SecurityHeadersMiddleware (X-Content-Type-Options, X-Frame-Options, CSP, conditional HSTS) - CORS: add PUT/DELETE methods for POI routes - POI input validation: field length and coordinate range constraints - QueryParameters: add min_sqm <= max_sqm validation 2026-02-08 19:42:30 +00:00			`"""Security headers middleware."""`
			`from starlette.middleware.base import BaseHTTPMiddleware`
			`from starlette.requests import Request`
			`from starlette.responses import Response`


			`class SecurityHeadersMiddleware(BaseHTTPMiddleware):`
			`"""Add standard security headers to every response."""`

			`async def dispatch(self, request: Request, call_next) -> Response: # type: ignore[no-untyped-def]`
			`response = await call_next(request)`
			`response.headers["X-Content-Type-Options"] = "nosniff"`
			`response.headers["X-Frame-Options"] = "DENY"`
			`response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"`
			`response.headers["Content-Security-Policy"] = (`
			`"default-src 'self'; "`
			`"script-src 'self'; "`
			`"style-src 'self' 'unsafe-inline'; "`
			`"connect-src 'self' https://*.mapbox.com; "`
			`"img-src 'self' data: https://*.mapbox.com https://media.rightmove.co.uk; "`
			`"frame-ancestors 'none'"`
			`)`
			`# Only add HSTS when behind TLS-terminating proxy`
			`if request.headers.get("x-forwarded-proto") == "https":`
			`response.headers["Strict-Transport-Security"] = (`
			`"max-age=63072000; includeSubDomains"`
			`)`
			`return response`