feat(api-server): add basic security headers (#3576)

Add X-Content-Type-Options: nosniff and Referrer-Policy: no-referrer to all API server responses via a new security_headers_middleware. Co-authored-by: Oktay Aydin <aydnOktay@users.noreply.github.com>
2026-05-17 04:31:55 +00:00 · 2026-03-28 14:00:52 -07:00 · 2026-03-28 14:00:52 -07:00 · df1bf0a209
commit df1bf0a209
parent 49a49983e4
2 changed files with 31 additions and 2 deletions
--- a/gateway/platforms/api_server.py
+++ b/gateway/platforms/api_server.py
@ -223,6 +223,23 @@ if AIOHTTP_AVAILABLE:
 else:
    body_limit_middleware = None  # type: ignore[assignment]

+_SECURITY_HEADERS = {
+    "X-Content-Type-Options": "nosniff",
+    "Referrer-Policy": "no-referrer",
+}
+
+
+if AIOHTTP_AVAILABLE:
+    @web.middleware
+    async def security_headers_middleware(request, handler):
+        """Add security headers to all responses (including errors)."""
+        response = await handler(request)
+        for k, v in _SECURITY_HEADERS.items():
+            response.headers.setdefault(k, v)
+        return response
+else:
+    security_headers_middleware = None  # type: ignore[assignment]
+

 class _IdempotencyCache:
    """In-memory idempotency cache with TTL and basic LRU semantics."""
@ -1224,7 +1241,7 @@ class APIServerAdapter(BasePlatformAdapter):
            return False

        try:
-            mws = [mw for mw in (cors_middleware, body_limit_middleware) if mw is not None]
+            mws = [mw for mw in (cors_middleware, body_limit_middleware, security_headers_middleware) if mw is not None]
            self._app = web.Application(middlewares=mws)
            self._app["api_server_adapter"] = self
            self._app.router.add_get("/health", self._handle_health)