UniqAI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2024-11-16 21:42:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: Add permissions-policy to security headers

Browse Source
This commit is contained in:
Diego Monti 2024-11-06 18:16:22 +01:00
parent 7228b39064
commit b1805380dc
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
backend/open_webui/utils/security_headers.py
View File

@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
This function reads specific environment variables and uses their values This function reads specific environment variables and uses their values
to set corresponding security headers. The headers that can be set are: to set corresponding security headers. The headers that can be set are:
- cache-control - cache-control
- permissions-policy
- strict-transport-security - strict-transport-security
- referrer-policy - referrer-policy
- x-content-type-options - x-content-type-options
@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
header_setters = { header_setters = {
"CACHE_CONTROL": set_cache_control, "CACHE_CONTROL": set_cache_control,
"HSTS": set_hsts, "HSTS": set_hsts,
"PERMISSIONS_POLICY": set_permissions_policy,
"REFERRER_POLICY": set_referrer, "REFERRER_POLICY": set_referrer,
"XCONTENT_TYPE": set_xcontent_type, "XCONTENT_TYPE": set_xcontent_type,
"XDOWNLOAD_OPTIONS": set_xdownload_options, "XDOWNLOAD_OPTIONS": set_xdownload_options,
@ -73,6 +75,15 @@ def set_xframe(value: str):
return {"X-Frame-Options": value} return {"X-Frame-Options": value}
# Set Permissions-Policy response header
def set_permissions_policy(value: str):
pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
match = re.match(pattern, value, re.IGNORECASE)
if not match:
value = "none"
return {"Permissions-Policy": value}
# Set Referrer-Policy response header # Set Referrer-Policy response header
def set_referrer(value: str): def set_referrer(value: str):
pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$" pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"