Update app.py

app.py

@@ -1,5 +1,5 @@
 
-from flask import Flask, render_template_string, request, redirect, url_for, send_file, flash, jsonify
+from flask import Flask, render_template_string, request, redirect, url_for, send_file, flash, jsonify, Response
 import json
 import os
 import logging
@@ -44,6 +44,24 @@ STATUS_MAP_RU = {
 logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
 
 
+@app.after_request
+def add_security_headers(response):
+    csp = (
+        "default-src 'self'; "
+        "script-src 'self' https://cdnjs.cloudflare.com; "
+        "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; "
+        "font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; "
+        "img-src 'self' data: https://huggingface.co https://via.placeholder.com; "
+        "object-src 'none'; "
+        "frame-ancestors 'none'; "
+        "base-uri 'self';"
+    )
+    response.headers['Content-Security-Policy'] = csp
+    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'SAMEORIGIN'
+    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+    return response
 
 def download_db_from_hf(specific_file=None, retries=DOWNLOAD_RETRIES, delay=DOWNLOAD_DELAY):
     if not HF_TOKEN_READ and not HF_TOKEN_WRITE:
@@ -1590,7 +1608,6 @@ def product_detail(index):
         logging.warning(f"Attempted access to non-existent or out-of-stock product with index {index}")
         return "Товар не найден или отсутствует в наличии.", 404
     
-    # Pass the sorted index back so the JS function can correctly call openQuantityModal
     products_index = index
 
     return render_template_string(
@@ -1632,7 +1649,7 @@ def create_order():
                 "price": price,
                 "quantity": quantity,
                 "color": item.get('color', 'N/A'),
-                "model": item.get('model', 'N/A'), # NEW MODEL
+                "model": item.get('model', 'N/A'),
                 "photo": photo_name,
                 "photo_url": photo_url
             })
@@ -1771,7 +1788,7 @@ def admin():
                 category = request.form.get('category')
                 photos_files = request.files.getlist('photos')
                 colors = [c.strip() for c in request.form.getlist('colors') if c.strip()]
-                models = [m.strip() for m in request.form.getlist('models') if m.strip()] # NEW MODELS
+                models = [m.strip() for m in request.form.getlist('models') if m.strip()]
                 in_stock = 'in_stock' in request.form
                 is_top = 'is_top' in request.form
 
@@ -1844,7 +1861,7 @@ def admin():
                     'id': str(uuid.uuid4()),
                     'name': name, 'price': price, 'description': description,
                     'category': category if category in categories else 'Без категории',
-                    'photos': photos_list, 'colors': colors, 'models': models, # NEW MODELS
+                    'photos': photos_list, 'colors': colors, 'models': models,
                     'in_stock': in_stock, 'is_top': is_top
                 }
                 products.append(new_product)
@@ -1879,7 +1896,7 @@ def admin():
                 category = request.form.get('category')
                 product_to_edit['category'] = category if category in categories else 'Без категории'
                 product_to_edit['colors'] = [c.strip() for c in request.form.getlist('colors') if c.strip()]
-                product_to_edit['models'] = [m.strip() for m in request.form.getlist('models') if m.strip()] # NEW MODELS
+                product_to_edit['models'] = [m.strip() for m in request.form.getlist('models') if m.strip()]
                 product_to_edit['in_stock'] = 'in_stock' in request.form
                 product_to_edit['is_top'] = 'is_top' in request.form