| """Production security response headers.""" |
| from __future__ import annotations |
|
|
| import os |
|
|
| from starlette.middleware.base import BaseHTTPMiddleware |
| from starlette.requests import Request |
| from starlette.responses import Response |
|
|
|
|
| class SecurityHeadersMiddleware(BaseHTTPMiddleware): |
| async def dispatch(self, request: Request, call_next) -> Response: |
| response = await call_next(request) |
| response.headers.setdefault("X-Content-Type-Options", "nosniff") |
| response.headers.setdefault("X-Frame-Options", "DENY") |
| response.headers.setdefault("Referrer-Policy", "strict-origin-when-cross-origin") |
| response.headers.setdefault("Permissions-Policy", "geolocation=(), microphone=(), camera=()") |
| if request.url.scheme == "https": |
| response.headers.setdefault("Strict-Transport-Security", "max-age=31536000; includeSubDomains") |
| if os.getenv("CEPHEUS_PRODUCTION", "").strip() == "1": |
| response.headers.setdefault( |
| "Content-Security-Policy", |
| "default-src 'none'; frame-ancestors 'none'", |
| ) |
| return response |
|
|