github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-05 10:28:06 -05:00
Code Issues 919 Packages Projects Releases 126 Wiki Activity

refac

Browse Source
This commit is contained in:
Timothy Jaeryang Baek
2026-04-20 09:10:48 +09:00
parent c3c857a3ec
commit f246a66810
1 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
backend/open_webui/utils/security_headers.py
View File

@@ -28,6 +28,10 @@ def set_security_headers() -> Dict[str, str]:
- x-frame-options
- x-permitted-cross-domain-policies
- content-security-policy
- content-security-policy-report-only
- cross-origin-embedder-policy
- cross-origin-opener-policy
- cross-origin-resource-policy
- reporting-endpoints
Each environment variable is associated with a specific setter function
@@ -48,6 +52,10 @@ def set_security_headers() -> Dict[str, str]:
'XFRAME_OPTIONS': set_xframe,
'XPERMITTED_CROSS_DOMAIN_POLICIES': set_xpermitted_cross_domain_policies,
'CONTENT_SECURITY_POLICY': set_content_security_policy,
'CONTENT_SECURITY_POLICY_REPORT_ONLY': set_content_security_policy_report_only,
'CROSS_ORIGIN_EMBEDDER_POLICY': set_cross_origin_embedder_policy,
'CROSS_ORIGIN_OPENER_POLICY': set_cross_origin_opener_policy,
'CROSS_ORIGIN_RESOURCE_POLICY': set_cross_origin_resource_policy,
'REPORTING_ENDPOINTS': set_reporting_endpoints,
}
@@ -135,6 +143,38 @@ def set_content_security_policy(value: str):
return {'Content-Security-Policy': value}
# Set Content-Security-Policy-Report-Only response header
def set_content_security_policy_report_only(value: str):
return {'Content-Security-Policy-Report-Only': value}
# Set Cross-Origin-Embedder-Policy response header
def set_cross_origin_embedder_policy(value: str):
pattern = r'^(unsafe-none|require-corp|credentialless)$'
match = re.match(pattern, value, re.IGNORECASE)
if not match:
value = 'require-corp'
return {'Cross-Origin-Embedder-Policy': value}
# Set Cross-Origin-Opener-Policy response header
def set_cross_origin_opener_policy(value: str):
pattern = r'^(unsafe-none|same-origin-allow-popups|same-origin)$'
match = re.match(pattern, value, re.IGNORECASE)
if not match:
value = 'same-origin'
return {'Cross-Origin-Opener-Policy': value}
# Set Cross-Origin-Resource-Policy response header
def set_cross_origin_resource_policy(value: str):
pattern = r'^(same-site|same-origin|cross-origin)$'
match = re.match(pattern, value, re.IGNORECASE)
if not match:
value = 'same-origin'
return {'Cross-Origin-Resource-Policy': value}
# Set Reporting-Endpoints response header
def set_reporting_endpoints(value: str):
return {'Reporting-Endpoints': value}