Spaces:

bastienp
/

backend

Running

App Files Files Community

bastienp commited on 8 days ago

Commit

5873878

1 Parent(s): a5399cd

feat(security): configure CORS and API validation

Browse files

Files changed (2) hide show

app/main.py +34 -9
requirements.txt +5 -1

app/main.py CHANGED Viewed

@@ -8,6 +8,7 @@ import time
 from pathlib import Path
 from fastapi.security.api_key import APIKeyHeader
 import os
 # Load environment variables
 load_dotenv()
@@ -24,10 +25,26 @@ FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:3000")  # Add default
 async def get_api_key(api_key_header: str = Security(api_key_header)):
     if not API_KEY:
-        raise HTTPException(status_code=500, detail="API key not configured on server")
-    if api_key_header != API_KEY:
-        raise HTTPException(status_code=403, detail="Invalid API key")
     return api_key_header
@@ -87,15 +104,23 @@ async def security_headers(request: Request, call_next):
     response = await call_next(request)
     response.headers["X-Content-Type-Options"] = "nosniff"
-    response.headers["X-Frame-Options"] = "SAMEORIGIN"  # More permissive than DENY
     response.headers["X-XSS-Protection"] = "1; mode=block"
-    response.headers["Strict-Transport-Security"] = (
-        "max-age=31536000; includeSubDomains"
-    )
     response.headers["Content-Security-Policy"] = (
-        "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; connect-src *"
     )
-    response.headers["Referrer-Policy"] = "no-referrer-when-downgrade"
     return response

 from pathlib import Path
 from fastapi.security.api_key import APIKeyHeader
 import os
+import secrets
 # Load environment variables
 load_dotenv()
 async def get_api_key(api_key_header: str = Security(api_key_header)):
     if not API_KEY:
+        logger.error("API key not configured on server")
+        raise HTTPException(
+            status_code=500,
+            detail="Server configuration error"  # Don't expose specific details
+        )
+    if not api_key_header:
+        raise HTTPException(
+            status_code=401,
+            detail="Missing API key",
+            headers={"WWW-Authenticate": "ApiKey"},
+        )
+    if not secrets.compare_digest(api_key_header, API_KEY):  # Constant-time comparison
+        logger.warning(f"Invalid API key attempt from {request.client.host}")
+        raise HTTPException(
+            status_code=403,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "ApiKey"},
+        )
     return api_key_header
     response = await call_next(request)
     response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "DENY"  # Stricter than SAMEORIGIN
     response.headers["X-XSS-Protection"] = "1; mode=block"
+    response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
     response.headers["Content-Security-Policy"] = (
+        "default-src 'self'; "
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
+        "style-src 'self' 'unsafe-inline'; "
+        "img-src 'self' data: https:; "
+        "connect-src 'self' "
+    )
+    response.headers["Permissions-Policy"] = (
+        "accelerometer=(), camera=(), geolocation=(), gyroscope=(), "
+        "magnetometer=(), microphone=(), payment=(), usb=()"
     )
+    response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate, proxy-revalidate"
+    response.headers["Pragma"] = "no-cache"
+    response.headers["Expires"] = "0"
     return response

requirements.txt CHANGED Viewed

@@ -7,4 +7,8 @@ mistralai>=0.0.7
 python-dotenv>=1.0.0
 langchain>=0.3.15
 langchain-mistralai>=0.2.4
-elevenlabs>=0.1.0

 python-dotenv>=1.0.0
 langchain>=0.3.15
 langchain-mistralai>=0.2.4
+elevenlabs>=0.1.0
+slowapi
+cryptography
+python-jose[cryptography]
+passlib[bcrypt]