Skip to content

security: Add HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) #45

Description

@YaronZaki

Problem Statement

No HTTP security headers are set in FastAPI middleware or nginx configurations. Missing: Content-Security-Policy (XSS prevention), Strict-Transport-Security (MITM prevention), X-Frame-Options (clickjacking prevention), X-Content-Type-Options (MIME-sniffing prevention), Referrer-Policy.

Evidence

  • quantara/web_app/api/main.py: Only SessionMiddleware and CORSMiddleware — no security header middleware
  • quantara/frontend/quantara.conf: SSL configured but no add_header directives for security headers
  • quantara/frontend/quantara_dev.conf: Same gap

Impact

Medium — multiple web attack vectors. Without CSP: XSS attacks execute arbitrary scripts. Without HSTS: MITM can downgrade to HTTP. Without X-Frame-Options: clickjacking possible on the web interface.

Proposed Solution

Add Starlette BaseHTTPMiddleware to inject security headers on all FastAPI responses. Configure nginx to add same headers at reverse proxy level as defense-in-depth. CSP: 'self', https://*.stellar.org, Freighter wallet API. HSTS: max-age=31536000; includeSubDomains in production only.

Acceptance Criteria

  • All responses include CSP, HSTS (production), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin
  • CSP allows legit sources without breaking frontend functionality
  • HSTS set with max-age=31536000 only when ENV_VERSION=PROD
  • Nginx configs updated as defense-in-depth
  • All existing tests pass

File Map

  • quantara/web_app/api/main.py — add security header middleware
  • quantara/frontend/quantara.conf — add nginx add_header directives
  • quantara/frontend/quantara_dev.conf — add nginx security headers (shorter HSTS for dev)

Testing Strategy

  • Unit: Test middleware injects correct headers
  • Integration: curl -I to verify all headers present
  • Manual: Use securityheaders.com or Mozilla Observatory to scan deployed app

Security Considerations

Start CSP with Content-Security-Policy-Report-Only to identify blocked resources before enforcing. Use defense-in-depth: both FastAPI middleware and nginx headers.

Definition of Done

  • Code implemented and peer-reviewed
  • Tests written and passing
  • Documentation updated
  • CSP tested in report-only mode first
  • PR linked and merged

Labels: security
Priority: Medium
Difficulty: Intermediate
Estimated Effort: 2h

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions