refac

2026-05-02 18:33:33 -05:00 · 2026-03-17 17:58:01 -05:00
parent fcf7208352
commit de3317e26b
220 changed files with 17200 additions and 22836 deletions
--- a/backend/open_webui/utils/security_headers.py
+++ b/backend/open_webui/utils/security_headers.py
@@ -39,16 +39,16 @@ def set_security_headers() -> Dict[str, str]:
    """
    options = {}
    header_setters = {
-        "CACHE_CONTROL": set_cache_control,
-        "HSTS": set_hsts,
-        "PERMISSIONS_POLICY": set_permissions_policy,
-        "REFERRER_POLICY": set_referrer,
-        "XCONTENT_TYPE": set_xcontent_type,
-        "XDOWNLOAD_OPTIONS": set_xdownload_options,
-        "XFRAME_OPTIONS": set_xframe,
-        "XPERMITTED_CROSS_DOMAIN_POLICIES": set_xpermitted_cross_domain_policies,
-        "CONTENT_SECURITY_POLICY": set_content_security_policy,
-        "REPORTING_ENDPOINTS": set_reporting_endpoints,
+        'CACHE_CONTROL': set_cache_control,
+        'HSTS': set_hsts,
+        'PERMISSIONS_POLICY': set_permissions_policy,
+        'REFERRER_POLICY': set_referrer,
+        'XCONTENT_TYPE': set_xcontent_type,
+        'XDOWNLOAD_OPTIONS': set_xdownload_options,
+        'XFRAME_OPTIONS': set_xframe,
+        'XPERMITTED_CROSS_DOMAIN_POLICIES': set_xpermitted_cross_domain_policies,
+        'CONTENT_SECURITY_POLICY': set_content_security_policy,
+        'REPORTING_ENDPOINTS': set_reporting_endpoints,
    }

    for env_var, setter in header_setters.items():
@@ -63,78 +63,78 @@ def set_security_headers() -> Dict[str, str]:

 # Set HTTP Strict Transport Security(HSTS) response header
 def set_hsts(value: str):
-    pattern = r"^max-age=(\d+)(;includeSubDomains)?(;preload)?$"
+    pattern = r'^max-age=(\d+)(;includeSubDomains)?(;preload)?$'
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = "max-age=31536000;includeSubDomains"
-    return {"Strict-Transport-Security": value}
+        value = 'max-age=31536000;includeSubDomains'
+    return {'Strict-Transport-Security': value}


 # Set X-Frame-Options response header
 def set_xframe(value: str):
-    pattern = r"^(DENY|SAMEORIGIN)$"
+    pattern = r'^(DENY|SAMEORIGIN)$'
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = "DENY"
-    return {"X-Frame-Options": value}
+        value = 'DENY'
+    return {'X-Frame-Options': value}


 # Set Permissions-Policy response header
 def set_permissions_policy(value: str):
-    pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
+    pattern = r'^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$'
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = "none"
-    return {"Permissions-Policy": value}
+        value = 'none'
+    return {'Permissions-Policy': value}


 # Set Referrer-Policy response header
 def set_referrer(value: str):
-    pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"
+    pattern = r'^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$'
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = "no-referrer"
-    return {"Referrer-Policy": value}
+        value = 'no-referrer'
+    return {'Referrer-Policy': value}


 # Set Cache-Control response header
 def set_cache_control(value: str):
-    pattern = r"^(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable)(,\s*(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable))*$"
+    pattern = r'^(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable)(,\s*(public|private|no-cache|no-store|must-revalidate|proxy-revalidate|max-age=\d+|s-maxage=\d+|no-transform|immutable))*$'
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = "no-store, max-age=0"
+        value = 'no-store, max-age=0'

-    return {"Cache-Control": value}
+    return {'Cache-Control': value}


 # Set X-Download-Options response header
 def set_xdownload_options(value: str):
-    if value != "noopen":
-        value = "noopen"
-    return {"X-Download-Options": value}
+    if value != 'noopen':
+        value = 'noopen'
+    return {'X-Download-Options': value}


 # Set X-Content-Type-Options response header
 def set_xcontent_type(value: str):
-    if value != "nosniff":
-        value = "nosniff"
-    return {"X-Content-Type-Options": value}
+    if value != 'nosniff':
+        value = 'nosniff'
+    return {'X-Content-Type-Options': value}


 # Set X-Permitted-Cross-Domain-Policies response header
 def set_xpermitted_cross_domain_policies(value: str):
-    pattern = r"^(none|master-only|by-content-type|by-ftp-filename)$"
+    pattern = r'^(none|master-only|by-content-type|by-ftp-filename)$'
    match = re.match(pattern, value, re.IGNORECASE)
    if not match:
-        value = "none"
-    return {"X-Permitted-Cross-Domain-Policies": value}
+        value = 'none'
+    return {'X-Permitted-Cross-Domain-Policies': value}


 # Set Content-Security-Policy response header
 def set_content_security_policy(value: str):
-    return {"Content-Security-Policy": value}
+    return {'Content-Security-Policy': value}


 # Set Reporting-Endpoints response header
 def set_reporting_endpoints(value: str):
-    return {"Reporting-Endpoints": value}
+    return {'Reporting-Endpoints': value}