knight/TLC-Search
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: add security headers, CSP, request size limits

Browse Source
This commit is contained in:
knight
2026-01-08 14:53:44 -05:00
parent 1565c8db38
commit 8e4c57a93a
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
search_app.py
View File

@@ -938,6 +938,23 @@ def build_full_graph_payload(
def create_app(config: AppConfig = CONFIG) -> Flask: def create_app(config: AppConfig = CONFIG) -> Flask:
app = Flask(__name__, static_folder=str(Path(__file__).parent / "static")) app = Flask(__name__, static_folder=str(Path(__file__).parent / "static"))
app.config['MAX_CONTENT_LENGTH'] = 1 * 1024 * 1024
@app.after_request
def add_security_headers(response):
response.headers['X-Frame-Options'] = 'DENY'
response.headers['X-Content-Type-Options'] = 'nosniff'
response.headers['Permissions-Policy'] = 'geolocation=(), microphone=(), camera=()'
response.headers['Content-Security-Policy'] = (
"default-src 'self'; "
"script-src 'self' https://cdn.jsdelivr.net https://unpkg.com; "
"style-src 'self' 'unsafe-inline' https://unpkg.com; "
"img-src 'self' data: https:; "
"font-src 'self' https://unpkg.com; "
"connect-src 'self'"
)
return response
client = _ensure_client(config) client = _ensure_client(config)
index = config.elastic.index index = config.elastic.index
qdrant_url = config.qdrant_url qdrant_url = config.qdrant_url