Source code for fluxlit.security.headers

"""Optional security headers middleware for FastAPI apps."""

from __future__ import annotations

from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
from starlette.requests import Request
from starlette.responses import Response




class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    """Add baseline security headers (opt-in via :class:`~fluxlit.config.FluxlitSettings`)."""



    async def dispatch(self, request: Request, call_next: RequestResponseEndpoint) -> Response:
        response = await call_next(request)
        response.headers.setdefault("X-Content-Type-Options", "nosniff")
        response.headers.setdefault("X-Frame-Options", "SAMEORIGIN")
        response.headers.setdefault("Referrer-Policy", "strict-origin-when-cross-origin")
        xf = request.headers.get("x-forwarded-proto", request.url.scheme)
        proto = xf.split(",")[0].strip().lower()
        if proto == "https":
            response.headers.setdefault(
                "Strict-Transport-Security",
                "max-age=63072000; includeSubDomains",
            )
        return response




__all__ = ["SecurityHeadersMiddleware"]