[agent] fix: harden api server response headers

2026-06-07 08:02:23 +00:00 · 2026-05-16 16:41:03 +09:00 · 2026-05-16 16:41:03 +09:00 · 5631345b12
commit 5631345b12
parent b389796ae3
2 changed files with 10 additions and 0 deletions
--- a/gateway/platforms/api_server.py
+++ b/gateway/platforms/api_server.py
@ -510,7 +510,12 @@ else:
    body_limit_middleware = None  # type: ignore[assignment]

 _SECURITY_HEADERS = {
+    "Content-Security-Policy": "default-src 'none'; frame-ancestors 'none'",
+    "Permissions-Policy": "camera=(), microphone=(), geolocation=()",
+    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+    "X-XSS-Protection": "0",
    "Referrer-Policy": "no-referrer",
 }

--- a/tests/gateway/test_api_server.py
+++ b/tests/gateway/test_api_server.py
@ -445,7 +445,12 @@ class TestHealthEndpoint:
        async with TestClient(TestServer(app)) as cli:
            resp = await cli.get("/health")
            assert resp.status == 200
+            assert resp.headers.get("Content-Security-Policy") == "default-src 'none'; frame-ancestors 'none'"
+            assert resp.headers.get("Permissions-Policy") == "camera=(), microphone=(), geolocation=()"
+            assert resp.headers.get("Strict-Transport-Security") == "max-age=31536000; includeSubDomains"
            assert resp.headers.get("X-Content-Type-Options") == "nosniff"
+            assert resp.headers.get("X-Frame-Options") == "DENY"
+            assert resp.headers.get("X-XSS-Protection") == "0"
            assert resp.headers.get("Referrer-Policy") == "no-referrer"

    @pytest.mark.asyncio