Security: add security headers, CSP, request size limits

2026-01-08 14:53:44 -05:00 · 2026-01-08 14:53:44 -05:00 · 8e4c57a93a
commit 8e4c57a93a
parent 1565c8db38
1 changed files with 17 additions and 0 deletions
--- a/search_app.py
+++ b/search_app.py
@ -938,6 +938,23 @@ def build_full_graph_payload(

 def create_app(config: AppConfig = CONFIG) -> Flask:
    app = Flask(__name__, static_folder=str(Path(__file__).parent / "static"))
+    app.config['MAX_CONTENT_LENGTH'] = 1 * 1024 * 1024
+
+    @app.after_request
+    def add_security_headers(response):
+        response.headers['X-Frame-Options'] = 'DENY'
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        response.headers['Permissions-Policy'] = 'geolocation=(), microphone=(), camera=()'
+        response.headers['Content-Security-Policy'] = (
+            "default-src 'self'; "
+            "script-src 'self' https://cdn.jsdelivr.net https://unpkg.com; "
+            "style-src 'self' 'unsafe-inline' https://unpkg.com; "
+            "img-src 'self' data: https:; "
+            "font-src 'self' https://unpkg.com; "
+            "connect-src 'self'"
+        )
+        return response
+
    client = _ensure_client(config)
    index = config.elastic.index
    qdrant_url = config.qdrant_url