lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): add CSRF header constants and security-headers endpoint

Browse Source 
Move X-BanGUI-Request header name/value to backend/app/utils/constants.py as single source of truth. Add GET /api/v1/config/security-headers endpoint. Update csrf middleware, frontend api client, and docs to use shared constants.
This commit is contained in:
Lukas
2026-05-03 22:06:43 +02:00
parent cee3daffc1
commit dafe8d61e2
7 changed files with 109 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/app/utils/constants.py
View File

@@ -45,6 +45,12 @@ SESSION_TOKEN_SIGNATURE_SEPARATOR: Final[str] = "."
SESSION_COOKIE_NAME: Final[str] = "bangui_session"
"""Name of the session cookie used by the browser SPA."""
CSRF_HEADER_NAME: Final[str] = "X-BanGUI-Request"
"""Name of the custom header clients must send for state-mutating requests."""
CSRF_HEADER_VALUE: Final[str] = "1"
"""Required value of the CSRF header to pass validation."""
# ---------------------------------------------------------------------------
# Authentication penalty (brute-force resistance)
# ---------------------------------------------------------------------------