Extract security response helpers

[caozhengming]

Bounty #320. Refs #320.

Summary

• Move CSP/security header constants and forwarded-HTTPS redirect handling out of app.main into app.security.
• Keep the middleware behavior unchanged while reducing the route-heavy main module.

Tests

• .\.venv\Scripts\python.exe -m pytest
• .\.venv\Scripts\python.exe -m ruff format --check .
• .\.venv\Scripts\python.exe -m ruff check .
• .\.venv\Scripts\python.exe -m mypy app

Summary by CodeRabbit

• Refactor
  • Reorganized HTTP security header handling into a dedicated module for improved consistency and maintainability across the application.
  • Enhanced HTTPS redirect preservation when requests come through proxies.
  • Implemented stricter Content-Security-Policy enforcement for API documentation routes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1a878876-58f6-4ed2-9585-d86106f05d27

📥 Commits

Reviewing files that changed from the base of the PR and between ac99d79 and 7f7dfe2.

📒 Files selected for processing (2)

• app/main.py
• app/security.py

---

📝 Walkthrough

Walkthrough

Security header handling is extracted from the main module into a new dedicated app/security.py module. The main module is refactored to import and delegate to the new security module's apply_security_headers function, reducing complexity and enabling reusable security header logic.

Changes

Security Module Extraction

Layer / File(s)	Summary
Security module definition app/security.py	New module defines SECURITY_HEADERS for baseline security headers, API_DOCS_CSP and API_DOCS_PATHS for API documentation policy, helper functions request_was_forwarded_https and preserve_forwarded_https_redirect to detect and preserve HTTPS in redirects, and the orchestrator apply_security_headers to apply CSP for docs routes and ensure default headers are set.
Main module integration and cleanup app/main.py	Removed imports of urlsplit/urlunsplit, added import of apply_security_headers, removed relocated security constants and helper functions, and updated the security middleware to delegate final header application to apply_security_headers(request, response) rather than applying headers inline.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description covers the main objective and includes references to the related bounty, but does not follow the required template structure with the specified sections.	Reorganize description to match the template: add a 'Confusion/bug this addresses' section under Evidence, and replace custom test commands with the template's checkbox format.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: extracting security response helpers from main.py into a new security.py module.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[weilixiong]

✅ Reviewed: security response helpers extraction. 2 files +71/-59, CI ✅. Clean refactor preserving existing behavior. LOW risk.

[caozhengming]

Closing this because I noticed after opening that PR #369 already covers the security-header middleware extraction for Bounty #320. I don't want to duplicate another contributor's submission or add maintainer review noise.

[tolga-tom-nook]

No blockers found on current head 7f7dfe2.

Evidence checked:

• Inspected app/security.py extraction and app/main.py middleware call site.
• Verified default security headers remain set with setdefault, API docs/redoc still receive the relaxed docs CSP, and forwarded-HTTPS same-host 307/308 redirect rewriting preserves the prior behavior.
• Verified no redirect rewrite for non-forwarded HTTP or non-matching locations by existing security regression coverage.

Commands run locally:

./.venv/bin/python -m pytest tests/test_security.py tests/test_docs_public_urls.py -q
./.venv/bin/python -m pytest -q
./.venv/bin/python -m ruff check app/security.py app/main.py tests/test_security.py tests/test_docs_public_urls.py
./.venv/bin/python -m ruff format --check app/security.py app/main.py tests/test_security.py tests/test_docs_public_urls.py
./.venv/bin/python -m mypy app
git diff --check origin/main...HEAD

Results: 70 targeted tests passed; full suite passed (335 passed); ruff, format, mypy, and diff whitespace checks passed.