Skip to content

fix(#45): Add HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)#181

Merged
YaronZaki merged 1 commit into
Quantarq:mainfrom
P3az3:main
Jul 7, 2026
Merged

fix(#45): Add HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)#181
YaronZaki merged 1 commit into
Quantarq:mainfrom
P3az3:main

Conversation

@P3az3

@P3az3 P3az3 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds HTTP security headers to FastAPI responses (via ASGI middleware) and nginx configs as defense-in-depth against XSS, clickjacking, MIME-sniffing, and protocol-downgrade attacks.

Changes

FastAPI middleware (quantara/web_app/api/middleware.py)

  • New SecurityHeadersMiddleware ASGI middleware that injects:
    • Content-Security-Policy: restricts sources to self, stellar.org, and Freighter
    • X-Frame-Options: DENY: prevents clickjacking
    • X-Content-Type-Options: nosniff: prevents MIME-sniffing
    • Referrer-Policy: strict-origin-when-cross-origin: controls referrer info
    • Strict-Transport-Security (only when ENV_VERSION=PROD): enforces HTTPS

Nginx configs

  • quantara/frontend/quantara.conf: Added security header add_header directives
  • quantara/frontend/quantara_dev.conf: Added security header add_header directives with shorter HSTS (1 day) for dev

Tests

  • quantara/web_app/tests/test_security_headers.py: Tests for middleware registration, header presence, and HSTS environment gating

Closes #45

…ns, X-Content-Type-Options)

- Add SecurityHeadersMiddleware to inject CSP, X-Frame-Options,
  X-Content-Type-Options, Referrer-Policy on all responses
- Enable Strict-Transport-Security only when ENV_VERSION=PROD
- Add security headers to nginx production config (quantara.conf)
- Add security headers to nginx dev config (quantara_dev.conf)
- Add unit tests for middleware registration, header presence,
  and HSTS environment gating

Closes Quantarq#45

@YaronZaki YaronZaki left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@YaronZaki YaronZaki merged commit d5f06f6 into Quantarq:main Jul 7, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: Add HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)

2 participants