fix: add Content-Security-Policy header to all responses (#848)#874
Merged
Conversation
…ta#848) - Add CSP header restricting script, style, and resource sources - Prevents XSS and unauthorized resource loading
|
@Aryanbansal-05 is attempting to deploy a commit to the komalsony234-1530's projects Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
Author
|
Hi @komalharshita, Just flagging — the failing CI checks here are due to the pre-existing WEIGHT_LEVEL import error in tests/test_basic.py (already fixed in PR #834), not related to this change. This PR only adds the CSP header to add_security_headers in app.py. Happy to rebase once #834 is merged. Thanks! |
Owner
|
Approved for merge! |
komalharshita
added
type:bug
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary [required]
The application sets several security headers but was missing a Content-Security-Policy (CSP) header, leaving it more vulnerable to XSS attacks and unauthorized resource loading. This PR adds a CSP header to the existing add_security_headers function in app.py, restricting the sources from which scripts, styles, images, and other resources can be loaded.
Related Issue
Closes #848
Type of Change [required]
What Was Changed [required]
| File | Change made |
app.py | Added Content-Security-Policy header to the add_security_headers after-request hook, restricting default-src, script-src, style-src, img-src, font-src, connect-src, and frame-ancestors to 'self'
How to Test This PR [required]
git checkout your-branch-namepip install -r requirements.txtpython app.pypython tests/test_basic.pyExpected test output:
Test Results [required]
Verified app.py imports and runs correctly:
python -c "import app; print('OK')" → OK
Note: tests/test_basic.py currently fails to collect due to a
pre-existing import error (WEIGHT_LEVEL not found in utils.recommender),
unrelated to this change — already fixed in PR #834.
This PR only modifies the add_security_headers function in app.py.
Self-Review Checklist [required]
feat/,fix/,docs/,data/,style/,test/python tests/test_basic.pyand all 27 tests passflake8 .locally and there are no errorsprint()orconsole.log()debug statementsNotes for Reviewer
The CSP policy currently allows 'unsafe-inline' for scripts and styles to avoid breaking existing inline <script>/<style> usage in templates. If the maintainer prefers a stricter policy (nonce-based or hash-based), templates would need to be refactored to remove inline scripts/styles — happy to follow up with that as a separate PR if desired.