security(api): Add http security headers to server-side calls (#727)

TracecatHQ · Jan 10, 2025 · 4adae47 · 4adae47
1 parent 05bcd7f
commit 4adae47
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/tracecat/api/app.py b/tracecat/api/app.py
@@ -33,6 +33,7 @@
 from tracecat.editor.router import router as editor_router
 from tracecat.logger import logger
 from tracecat.middleware import RequestLoggingMiddleware
+from tracecat.middleware.security import SecurityHeadersMiddleware
 from tracecat.organization.router import router as org_router
 from tracecat.registry.actions.router import router as registry_actions_router
 from tracecat.registry.common import reload_registry
@@ -233,6 +234,7 @@ def create_app(**kwargs) -> FastAPI:
 
     # Middleware
     app.add_middleware(RequestLoggingMiddleware)
+    app.add_middleware(SecurityHeadersMiddleware)
     app.add_middleware(
         CORSMiddleware,
         allow_origins=allow_origins,

diff --git a/tracecat/middleware/security.py b/tracecat/middleware/security.py
@@ -0,0 +1,40 @@
+import os
+
+from fastapi import Request
+from starlette.middleware.base import BaseHTTPMiddleware
+
+
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, request: Request, call_next):
+        response = await call_next(request)
+        if os.getenv("POSTHOG_KEY"):
+            csp_directives = [
+                "connect-src 'self' https://*.posthog.com",
+                "default-src 'self'",
+                "worker-src 'self' blob:",
+                "frame-ancestors 'none'",
+                "img-src 'self' data:",
+                "object-src 'none'",
+                "script-src 'self' 'unsafe-inline' https://*.posthog.com",
+                "style-src 'self' 'unsafe-inline'",
+            ]
+        else:
+            csp_directives = [
+                "connect-src 'self'",
+                "default-src 'self'",
+                "worker-src 'self' blob:",
+                "frame-ancestors 'none'",
+                "img-src 'self' data:",
+                "object-src 'none'",
+                "script-src 'self' 'unsafe-inline'",
+                "style-src 'self' 'unsafe-inline'",
+            ]
+        headers = {
+            "Strict-Transport-Security": "max-age=7776000; includeSubDomains",
+            "Content-Security-Policy": "; ".join(csp_directives),
+            "X-Content-Type-Options": "nosniff",
+            "Referrer-Policy": "strict-origin-when-cross-origin",
+            "Permissions-Policy": "document-domain=()",
+        }
+        response.headers.update(headers)
+        return response