sda / server.py
betterwithage's picture
Add honest SDA deployment-source evidence
b621b0a verified
Raw
History Blame
4.4 kB
#!/usr/bin/env python3
"""Hardened static file server for the SZL SDA Space.
Serves exactly the same files as `python -m http.server 7860` (same /app
directory, same port 7860) but adds security response headers on every response:
- Content-Security-Policy (tuned to this page's real resources)
- Strict-Transport-Security max-age=31536000; includeSubDomains
- X-Content-Type-Options nosniff
- Referrer-Policy strict-origin-when-cross-origin
- Server clean "szl" banner (suppresses SimpleHTTP/Python
version disclosure)
Additive / non-breaking: no ports or file paths change. The CSP permits every
resource this Space actually uses: the inline ES-module importmap that maps
'three' -> ./assets/three.module.min.js, self-hosted module + classic scripts,
inline styles, the self-hosted SVG favicon + data:/blob: images, and the
read-only cross-origin verify fetches to a-11-oy.com and killinchu, so the
WebGL scene and the SDA verify widget keep working.
"""
import functools
import json
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
from urllib.parse import parse_qs, urlsplit
from szl_source_attestation import build_attestation
PORT = 7860
DIRECTORY = "/app"
SPACE_ID = "SZLHOLDINGS/sda"
HF_OVERLAY_BASE_REVISION = "05cd77a1e728f59ab920e04bd632e7ff64a25b2e"
SOURCE_OBSERVATION = {
"repository": "szl-holdings/sda",
"commit": None,
"path": "",
"state": "PENDING_SOURCE_RESOLUTION",
"relation": "UNKNOWN",
"evidence_url": "https://api.github.com/repos/szl-holdings/sda",
"observation": {
"observed_at": "2026-07-11T22:00:20Z",
"http_status": 404,
"meaning": (
"The inferred name-matched GitHub repository was not found. "
"No source commit or parity claim is available."
),
},
}
CONTENT_SECURITY_POLICY = (
"default-src 'self'; "
"base-uri 'self'; "
"object-src 'none'; "
"script-src 'self' 'unsafe-inline'; "
"style-src 'self' 'unsafe-inline'; "
"img-src 'self' data: blob:; "
"font-src 'self'; "
"connect-src 'self' https://a-11-oy.com "
"https://szlholdings-killinchu.hf.space; "
"frame-ancestors 'self' https://huggingface.co https://*.hf.space https://*.huggingface.co"
)
class HardenedHandler(SimpleHTTPRequestHandler):
server_version = "szl"
sys_version = ""
def version_string(self):
return "szl"
def _send_json(self, payload, status=200):
body = json.dumps(payload, sort_keys=True, separators=(",", ":")).encode("utf-8")
self.send_response(status)
self.send_header("Content-Type", "application/json; charset=utf-8")
self.send_header("Content-Length", str(len(body)))
self.send_header("Cache-Control", "no-store")
self.send_header("X-SZL-Transport-State", "REACHABLE")
self.send_header("X-SZL-Evidence-State", payload.get("evidence_state", "UNAVAILABLE"))
self.send_header("X-SZL-Authority-State", "READ_ONLY")
self.end_headers()
self.wfile.write(body)
def do_GET(self):
parsed = urlsplit(self.path)
if parsed.path == "/.well-known/szl-source.json":
force = parse_qs(parsed.query).get("refresh", ["0"])[0] == "1"
payload = build_attestation(
space_id=SPACE_ID,
source=SOURCE_OBSERVATION,
alignment_state="UNKNOWN",
overlay_base_revision=HF_OVERLAY_BASE_REVISION,
force=force,
)
self._send_json(payload)
return
super().do_GET()
def end_headers(self):
self.send_header("Content-Security-Policy", CONTENT_SECURITY_POLICY)
self.send_header(
"Strict-Transport-Security", "max-age=31536000; includeSubDomains"
)
self.send_header("X-Content-Type-Options", "nosniff")
self.send_header("Referrer-Policy", "strict-origin-when-cross-origin")
super().end_headers()
if __name__ == "__main__":
handler = functools.partial(HardenedHandler, directory=DIRECTORY)
httpd = ThreadingHTTPServer(("0.0.0.0", PORT), handler)
print(f"Serving hardened static site from {DIRECTORY} on 0.0.0.0:{PORT}", flush=True)
try:
httpd.serve_forever()
except KeyboardInterrupt:
httpd.server_close()