chore: format

2025-06-26 18:26:48 +00:00 · 2024-09-19 03:24:39 +02:00 · 2024-09-19 03:24:39 +02:00 · 1053863175
commit 1053863175
parent f448341211
1 changed files with 37 additions and 42 deletions
--- a/backend/open_webui/utils/security_headers.py
+++ b/backend/open_webui/utils/security_headers.py
@ -5,12 +5,14 @@ from fastapi import Request
 from starlette.middleware.base import BaseHTTPMiddleware
 from typing import Dict

+
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
        response = await call_next(request)
        response.headers.update(set_security_headers())
        return response

+
 def set_security_headers() -> Dict[str, str]:
    """
    Sets security headers based on environment variables.
@ -34,13 +36,13 @@ def set_security_headers() -> Dict[str, str]:
    """
    options = {}
    header_setters = {
-        'CACHE_CONTROL': set_cache_control,
-        'HSTS': set_hsts,
-        'REFERRER_POLICY': set_referrer,
-        'XCONTENT_TYPE': set_xcontent_type,
-        'XDOWNLOAD_OPTIONS': set_xdownload_options,
-        'XFRAME_OPTIONS': set_xframe,
-        'XPERMITTED_CROSS_DOMAIN_POLICIES': set_xpermitted_cross_domain_policies,
+        "CACHE_CONTROL": set_cache_control,
+        "HSTS": set_hsts,
+        "REFERRER_POLICY": set_referrer,
+        "XCONTENT_TYPE": set_xcontent_type,
+        "XDOWNLOAD_OPTIONS": set_xdownload_options,
+        "XFRAME_OPTIONS": set_xframe,
+        "XPERMITTED_CROSS_DOMAIN_POLICIES": set_xpermitted_cross_domain_policies,
    }

    for env_var, setter in header_setters.items():
@ -52,69 +54,62 @@ def set_security_headers() -> Dict[str, str]:

    return options

+
 # Set HTTP Strict Transport Security(HSTS) response header
 def set_hsts(value: str):
-    pattern = r'^max-age=(\d+)(;includeSubDomains)?(;preload)?$'
+    pattern = r"^max-age=(\d+)(;includeSubDomains)?(;preload)?$"
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        return 'max-age=31536000;includeSubDomains'
-    return {
-        'Strict-Transport-Security': value
-    }
+        return "max-age=31536000;includeSubDomains"
+    return {"Strict-Transport-Security": value}
+

 # Set X-Frame-Options response header
 def set_xframe(value: str):
-    pattern = r'^(DENY|SAMEORIGIN)$'
+    pattern = r"^(DENY|SAMEORIGIN)$"
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = 'DENY'
-    return {
-        "X-Frame-Options": value
-    }
+        value = "DENY"
+    return {"X-Frame-Options": value}
+

 # Set Referrer-Policy response header
 def set_referrer(value: str):
-    pattern = r'^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$'
+    pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = 'no-referrer'
-    return {
-        'Referrer-Policy': value
-    }
+        value = "no-referrer"
+    return {"Referrer-Policy": value}
+

 # Set Cache-Control response header
 def set_cache_control(value: str):
-    pattern = r'^(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable)(,\s*(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable))*$'
+    pattern = r"^(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable)(,\s*(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable))*$"
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = 'no-store, max-age=0'
+        value = "no-store, max-age=0"
+
+    return {"Cache-Control": value}

-    return {
-        'Cache-Control': value
-    }

 # Set X-Download-Options response header
 def set_xdownload_options(value: str):
-    if value != 'noopen':
-        value = 'noopen'
-    return {
-        'X-Download-Options': value
-    }
+    if value != "noopen":
+        value = "noopen"
+    return {"X-Download-Options": value}
+

 # Set X-Content-Type-Options response header
 def set_xcontent_type(value: str):
-    if value != 'nosniff':
-        value = 'nosniff'
-    return {
-        'X-Content-Type-Options': value
-    }
+    if value != "nosniff":
+        value = "nosniff"
+    return {"X-Content-Type-Options": value}
+

 # Set X-Permitted-Cross-Domain-Policies response header
 def set_xpermitted_cross_domain_policies(value: str):
-    pattern = r'^(none|master-only|by-content-type|by-ftp-filename)$'
+    pattern = r"^(none|master-only|by-content-type|by-ftp-filename)$"
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = 'none'
-    return {
-        'X-Permitted-Cross-Domain-Policies': value
-    }
+        value = "none"
+    return {"X-Permitted-Cross-Domain-Policies": value}