yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: set sensible defaults for security response headers

Browse Source 
X-Content-Type-Options, X-Frame-Options, and Referrer-Policy all
defaulted to empty (disabled). Set defaults to nosniff, DENY, and
strict-origin-when-cross-origin respectively. Operators can still
override or disable via environment variables.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 13:40:03 -07:00
committed by Abhimanyu Saharan
parent c7f8578f38
commit 8e145a2129
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/app/core/config.py
View File

@@ -49,11 +49,12 @@ class Settings(BaseSettings):
clerk_leeway: float = 10.0
cors_origins: str = ""
base_url: str
# Security response headers (blank disables header injection)
security_header_x_content_type_options: str = ""
security_header_x_frame_options: str = ""
security_header_referrer_policy: str = ""
base_url: str = ""
# Security response headers (set to blank to disable a specific header)
security_header_x_content_type_options: str = "nosniff"
security_header_x_frame_options: str = "DENY"
security_header_referrer_policy: str = "strict-origin-when-cross-origin"
security_header_permissions_policy: str = ""
# Database lifecycle