Feature to set HTTP header "Content-Security-Policy"

Introduce CONTENT_SECURITY_POLICY environment variable to set HTTP header "Content-Security-Policy". Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
2024-12-28 06:42:47 +00:00 · 2024-11-30 21:31:54 +07:00 · 2024-11-30 21:31:54 +07:00 · 541ff6b41a
commit 541ff6b41a
parent 3792051604
1 changed files with 6 additions and 0 deletions
--- a/backend/open_webui/utils/security_headers.py
+++ b/backend/open_webui/utils/security_headers.py
@ -27,6 +27,7 @@ def set_security_headers() -> Dict[str, str]:
    - x-download-options
    - x-frame-options
    - x-permitted-cross-domain-policies
+    - content-security-policy

    Each environment variable is associated with a specific setter function
    that constructs the header. If the environment variable is set, the
@ -45,6 +46,7 @@ def set_security_headers() -> Dict[str, str]:
        "XDOWNLOAD_OPTIONS": set_xdownload_options,
        "XFRAME_OPTIONS": set_xframe,
        "XPERMITTED_CROSS_DOMAIN_POLICIES": set_xpermitted_cross_domain_policies,
+        "CONTENT_SECURITY_POLICY": set_content_security_policy,
    }

    for env_var, setter in header_setters.items():
@ -124,3 +126,7 @@ def set_xpermitted_cross_domain_policies(value: str):
    if not match:
        value = "none"
    return {"X-Permitted-Cross-Domain-Policies": value}
+
+# Set Content-Security-Policy response header
+def set_content_security_policy(value: str):
+    return {"Content-Security-Policy": value}