Add API anti-abuse hardening: disable docs in prod, origin validator, exception handler

- Disable OpenAPI docs/redoc/openapi.json when APP_ENV=production - Strip uvicorn Server header with --no-server-header in Dockerfile and docker-compose.yml - Add OriginValidatorMiddleware to reject state-changing requests from disallowed origins - Add global exception handler to prevent stack trace leakage on unhandled errors - Add tests for all new security features (OpenAPI, origin validation, exception handler, server header)
2026-02-08 20:06:46 +00:00 · 2026-02-08 20:06:46 +00:00 · 1ace45353a
commit 1ace45353a
parent 162d9a886d
8 changed files with 252 additions and 4 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -60,7 +60,7 @@ services:
        condition: service_healthy
      mysql:
        condition: service_healthy
-    command: ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --reload --reload-dir api --reload-dir services --reload-dir repositories --reload-dir models"]
+    command: ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --reload --reload-dir api --reload-dir services --reload-dir repositories --reload-dir models --no-server-header"]
    networks:
      - rec-network