Build 2602262030: add magent settings and hardening

2026-02-26 20:31:26 +13:00
parent b215e8030c
commit 0b73d9f4ee
16 changed files with 897 additions and 140 deletions
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -1,6 +1,6 @@
 import asyncio

-from fastapi import FastAPI
+from fastapi import FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware

 from .config import settings
@@ -24,7 +24,12 @@ from .services.jellyfin_sync import run_daily_jellyfin_sync
 from .logging_config import configure_logging
 from .runtime import get_runtime_settings

-app = FastAPI(title=settings.app_name)
+app = FastAPI(
+    title=settings.app_name,
+    docs_url="/docs" if settings.api_docs_enabled else None,
+    redoc_url=None,
+    openapi_url="/openapi.json" if settings.api_docs_enabled else None,
+)

 app.add_middleware(
    CORSMiddleware,
@@ -35,6 +40,22 @@ app.add_middleware(
 )


+@app.middleware("http")
+async def add_security_headers(request: Request, call_next):
+    response = await call_next(request)
+    response.headers.setdefault("X-Content-Type-Options", "nosniff")
+    response.headers.setdefault("X-Frame-Options", "DENY")
+    response.headers.setdefault("Referrer-Policy", "no-referrer")
+    response.headers.setdefault("Permissions-Policy", "geolocation=(), microphone=(), camera=()")
+    # Keep API responses non-executable and non-embeddable by default.
+    if request.url.path not in {"/docs", "/redoc"} and not request.url.path.startswith("/openapi"):
+        response.headers.setdefault(
+            "Content-Security-Policy",
+            "default-src 'none'; frame-ancestors 'none'; base-uri 'none'",
+        )
+    return response
+
+
@app.get("/health")
 async def health() -> dict:
    return {"status": "ok"}