lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add security headers middleware and documentation

Browse Source 
- Add SecurityHeadersMiddleware to backend/app/main.py
  - Implements Content-Security-Policy: default-src 'self'
  - Implements X-Frame-Options: DENY (clickjacking protection)
  - Implements X-Content-Type-Options: nosniff (MIME-sniffing protection)
  - Implements X-XSS-Protection: 1; mode=block (browser XSS filters)
- Add CSP meta tag to frontend/index.html for defense-in-depth
- Create Docs/Security.md with comprehensive security headers documentation
- Add test suite (backend/tests/test_security_headers_middleware.py) with 5 tests
  - Tests verify headers are present on success and error responses
  - Tests ensure all four security headers are correctly set
- All existing tests continue to pass

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-04-30 21:33:08 +02:00
parent 3bd9848a08
commit 400ab1a3f1
5 changed files with 256 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
Docs/Tasks.md
View File

@@ -1,50 +1,3 @@
## [CRITICAL] Global rate limiting missing
**Where found**
- `backend/app/routers/auth.py` — only `/api/auth/login` has rate limiting
- All other routers have no rate limiting
**Why this is needed**
Without rate limiting, attackers can spam endpoints to cause CPU spike, database overload, or network bandwidth exhaustion.
**Goal**
Implement global per-IP rate limiting on all endpoints.
**What to do**
1. Add rate limiting middleware to `backend/app/main.py`:
```python
from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address, default_limits=["200 per minute"])
app.state.limiter = limiter
```
2. Apply to all routers with appropriate limits per endpoint
3. Return proper HTTP 429 with `Retry-After` header
4. Document limits in API docs
**Possible traps and issues**
- Limits set too low block legitimate users
- Distributed deployments need shared limiter state (Redis-backed)
- Different endpoints may need different limits
- Trusted IPs should bypass limiting
**Docs changes needed**
- Add section in `Docs/Backend-Development.md` § Rate Limiting
- Document default limits in deployment guide
**Doc references**
- `Docs/Backend-Development.md` (rate limiting)
- `backend/app/main.py` (middleware setup)
---
## [CRITICAL] Missing security headers (CSP, X-Frame-Options, etc.)
**Where found**