Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion app/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
import os
import sys
import uvicorn # Uvicorn ASGI server for FastAPI
from fastapi import FastAPI # FastAPI framework
from fastapi import FastAPI, Request # FastAPI framework
from fastapi.staticfiles import StaticFiles # To serve static files

# Adding the parent directory of the current script to the system path
Expand All @@ -16,7 +16,21 @@
# Initializing the FastAPI application
app = FastAPI()


@app.middleware("http")
async def add_security_headers(request: Request, call_next):
"""
Middleware to append security headers to all responses.
This helps mitigate risks like MIME sniffing and Clickjacking.
"""
response = await call_next(request)
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
return response

# Including the routers for different parts of the application

app.include_router(root.router) # Root router, handles main endpoints
app.include_router(extensions.router) # Extensions router, handles additional features
app.include_router(builtin.router) # Builtin router, handles built-in features
Expand Down
7 changes: 7 additions & 0 deletions pr_description.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## πŸ›‘οΈ Sentinel: [security improvement] Add Security Headers Middleware

**🚨 Severity:** MEDIUM
**πŸ’‘ Vulnerability:** Missing security headers (MIME sniffing and Clickjacking risks)
**🎯 Impact:** Without these headers, the application is vulnerable to MIME type confusion attacks and Clickjacking, where an attacker could potentially embed the application in a malicious frame.
**πŸ”§ Fix:** Added a FastAPI middleware in `app/main.py` that appends `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, and `Strict-Transport-Security: max-age=31536000; includeSubDomains` to all HTTP responses.
**βœ… Verification:** A new test `test_security_headers` has been added to `test_app.py` to ensure these headers are correctly applied to the responses. The entire test suite was successfully executed using `python3 -m pytest`.
8 changes: 8 additions & 0 deletions test_app.py
Original file line number Diff line number Diff line change
Expand Up @@ -356,3 +356,11 @@ def test_htmx_headers(client):
)
assert response.status_code == 200
assert b"Correct button was selected based on HTMX Request Headers" in response.content

def test_security_headers(client):
"""Test that security headers are applied to all responses."""
response = client.get("/builtin/info")
assert response.status_code == 204
assert response.headers.get("X-Content-Type-Options") == "nosniff"
assert response.headers.get("X-Frame-Options") == "DENY"
assert response.headers.get("Strict-Transport-Security") == "max-age=31536000; includeSubDomains"