Commit graph

12 commits

Author SHA1 Message Date
Classic298
0f8846b7fc
fix: convert SecurityHeadersMiddleware to pure ASGI (#26924)
SecurityHeadersMiddleware was the last middleware in the stack still
subclassing BaseHTTPMiddleware, after CommitSession, AuthToken,
WebsocketUpgradeGuard and Redirect were all moved to pure ASGI in
utils/asgi_middleware.py. BaseHTTPMiddleware re-buffers the response
body through an anyio task group, which has known issues with
streaming and Content-Length-bearing responses (e.g. the FileResponse
returned by /api/v1/audio/speech).

Reimplement it as a pure-ASGI middleware that stamps the configured
security headers onto the http.response.start message via
MutableHeaders and forwards all body chunks untouched, matching the
pattern already used by its four siblings. set_security_headers() and
all its helpers are unchanged.

Co-authored-by: classic298 <classic298@users.noreply.github.com>
2026-07-10 13:29:14 -05:00
Timothy Jaeryang Baek
6d0295588e refac: modernize type annotations (PEP 604 / PEP 585) 2026-05-12 17:10:15 +09:00
Timothy Jaeryang Baek
f246a66810 refac 2026-04-20 09:10:48 +09:00
Timothy Jaeryang Baek
de3317e26b refac 2026-03-17 17:58:01 -05:00
Timothy Jaeryang Baek
64ec73635b refac 2026-02-24 14:47:28 -06:00
Timothy Jaeryang Baek
2fac9b45cd chore: format 2024-11-30 23:36:30 -08:00
Diwakar
541ff6b41a
Feature to set HTTP header "Content-Security-Policy"
Introduce CONTENT_SECURITY_POLICY environment variable to set HTTP header "Content-Security-Policy".

Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
2024-11-30 21:31:54 +07:00
Diego Monti
b1805380dc feat: Add permissions-policy to security headers 2024-11-06 18:16:22 +01:00
Diwakar
0a7bc50279
Prevent crash while setting Strict-Transport-Security security header 2024-10-26 13:45:28 +07:00
Timothy J. Baek
1053863175 chore: format 2024-09-19 03:24:39 +02:00
Phil Ogbonna
896baf021b update comment block 2024-09-16 22:02:55 -03:00
Phil Ogbonna
499e5e4f60 feat: security response headers 2024-09-16 21:53:30 -03:00