"""Production security response headers.""" from __future__ import annotations import os from starlette.middleware.base import BaseHTTPMiddleware from starlette.requests import Request from starlette.responses import Response class SecurityHeadersMiddleware(BaseHTTPMiddleware): async def dispatch(self, request: Request, call_next) -> Response: response = await call_next(request) response.headers.setdefault("X-Content-Type-Options", "nosniff") response.headers.setdefault("X-Frame-Options", "DENY") response.headers.setdefault("Referrer-Policy", "strict-origin-when-cross-origin") response.headers.setdefault("Permissions-Policy", "geolocation=(), microphone=(), camera=()") if request.url.scheme == "https": response.headers.setdefault("Strict-Transport-Security", "max-age=31536000; includeSubDomains") if os.getenv("CEPHEUS_PRODUCTION", "").strip() == "1": response.headers.setdefault( "Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'", ) return response