From 541ff6b41a428b7ae38f943f49df02c295092bba Mon Sep 17 00:00:00 2001 From: Diwakar Date: Sat, 30 Nov 2024 21:31:54 +0700 Subject: [PATCH] Feature to set HTTP header "Content-Security-Policy" Introduce CONTENT_SECURITY_POLICY environment variable to set HTTP header "Content-Security-Policy". Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP --- backend/open_webui/utils/security_headers.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/backend/open_webui/utils/security_headers.py b/backend/open_webui/utils/security_headers.py index bcef773a5..782b64b41 100644 --- a/backend/open_webui/utils/security_headers.py +++ b/backend/open_webui/utils/security_headers.py @@ -27,6 +27,7 @@ def set_security_headers() -> Dict[str, str]: - x-download-options - x-frame-options - x-permitted-cross-domain-policies + - content-security-policy Each environment variable is associated with a specific setter function that constructs the header. If the environment variable is set, the @@ -45,6 +46,7 @@ def set_security_headers() -> Dict[str, str]: "XDOWNLOAD_OPTIONS": set_xdownload_options, "XFRAME_OPTIONS": set_xframe, "XPERMITTED_CROSS_DOMAIN_POLICIES": set_xpermitted_cross_domain_policies, + "CONTENT_SECURITY_POLICY": set_content_security_policy, } for env_var, setter in header_setters.items(): @@ -124,3 +126,7 @@ def set_xpermitted_cross_domain_policies(value: str): if not match: value = "none" return {"X-Permitted-Cross-Domain-Policies": value} + +# Set Content-Security-Policy response header +def set_content_security_policy(value: str): + return {"Content-Security-Policy": value}