feat: add security headers middleware with report-only CSP

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 02:38:42 +00:00
parent 24acfc9a45
commit 2f18056fd1
4 changed files with 130 additions and 0 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -49,6 +49,11 @@ class Settings(BaseSettings):
    # Security
    BCRYPT_ROUNDS: int = 12

+    # Security Headers
+    CSP_REPORT_ONLY: bool = True  # Set False to enforce CSP
+    CSP_EXTRA_SCRIPT_SOURCES: list[str] = []  # Additional script-src domains
+    CSP_EXTRA_CONNECT_SOURCES: list[str] = []  # Additional connect-src domains
+
    # Registration
    REQUIRE_INVITE_CODE: bool = True  # Set to False to allow open registration