Spaces:

ag235772
/

WebPass

Running

ag235772 commited on Feb 21

Commit

3f87767

1 Parent(s): 49c6518

Security Hardening: Removed unused iframe exceptions (Principle of Least Privilege)

Files changed (1) hide show

webpass/__init__.py CHANGED Viewed

@@ -105,18 +105,16 @@ def create_app():
                 if not session.get('bio_verified'):
                     return redirect(url_for('bio.lock_screen'))
     # 5. SECURITY HEADERS
     # 5. SECURITY HEADERS
     @app.after_request
     def add_security_headers(response):
         response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
-        # The modern, precise way to whitelist specific domains for iframing
-        # 'self' allows your own app, the URLs allow your specific domains
-        response.headers['Content-Security-Policy'] = "frame-ancestors 'self' https://webpass.augsec.in https://huggingface.co;"
-        # Note: We remove X-Frame-Options because CSP frame-ancestors replaces it
-        # and is fully supported by all modern browsers.
         return response

                 if not session.get('bio_verified'):
                     return redirect(url_for('bio.lock_screen'))
+    # 5. SECURITY HEADERS
     # 5. SECURITY HEADERS
     # 5. SECURITY HEADERS
     @app.after_request
     def add_security_headers(response):
         response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
+        # SLAMMING THE DOOR: Removed your custom domain since the Vercel Proxy doesn't need it.
+        # We only allow Hugging Face so your developer portfolio preview still works!
+        response.headers['Content-Security-Policy'] = "frame-ancestors 'self' https://huggingface.co;"
         return response