github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #4925] feat: security response headers #13790

New Issue
Closed
opened 2026-04-19 20:24:07 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-19 20:24:07 -05:00
Owner
Copy Link

Originally created by @phil-ogb on GitHub (Aug 27, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/4925

Is your feature request related to a problem? Please describe.
The application does not include critical security response headers such as HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Content-Security-Policy. This leaves the application potentially vulnerable to various security threats, including clickjacking, MIME type sniffing attacks, and cross-site scripting (XSS) attacks. Since our deployment is done through Helm charts and we can't set these headers on the ALB, we need a way to implement these headers within the application itself.

Describe the solution you'd like
It'd be great to have the following security response headers in the application through some middleware:

  1. HSTS (HTTP Strict Transport Security)
  2. X-Frame-Options
  3. X-Content-Type-Options
  4. X-XSS-Protection
  5. Content-Security-Policy

These headers should be toggleable using environment variables for production deployments. This will allow us to easily enable or disable specific headers as needed without modifying the application code.

The implementation should include:

  1. A mechanism to set these headers in the application's HTTP responses.
  2. Environment variables for each header to enable/disable them (e.g., ENABLE_HSTS, ENABLE_X_FRAME_OPTIONS, etc.).
  3. Default values for each header when enabled (e.g., X-Frame-Options: DENY).
  4. Optional environment variables to customize header values where applicable (e.g., HSTS_MAX_AGE, CSP_POLICY).

Describe alternatives you've considered
Setting headers at the reverse proxy level: This is not feasible due to our Helm chart deployment and inability to set these on the ALB.

Originally created by @phil-ogb on GitHub (Aug 27, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/4925 **Is your feature request related to a problem? Please describe.** The application does not include critical security response headers such as HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Content-Security-Policy. This leaves the application potentially vulnerable to various security threats, including clickjacking, MIME type sniffing attacks, and cross-site scripting (XSS) attacks. Since our deployment is done through Helm charts and we can't set these headers on the ALB, we need a way to implement these headers within the application itself. **Describe the solution you'd like** It'd be great to have the following security response headers in the application through some middleware: 1. HSTS (HTTP Strict Transport Security) 2. X-Frame-Options 3. X-Content-Type-Options 4. X-XSS-Protection 5. Content-Security-Policy These headers should be toggleable using environment variables for production deployments. This will allow us to easily enable or disable specific headers as needed without modifying the application code. The implementation should include: 1. A mechanism to set these headers in the application's HTTP responses. 2. Environment variables for each header to enable/disable them (e.g., ENABLE_HSTS, ENABLE_X_FRAME_OPTIONS, etc.). 3. Default values for each header when enabled (e.g., X-Frame-Options: DENY). 4. Optional environment variables to customize header values where applicable (e.g., HSTS_MAX_AGE, CSP_POLICY). **Describe alternatives you've considered** Setting headers at the reverse proxy level: This is not feasible due to our Helm chart deployment and inability to set these on the ALB.
GiteaMirror commented 2026-04-19 20:24:09 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Aug 27, 2024):

PR Welcome!

<!-- gh-comment-id:2312388511 --> @tjbck commented on GitHub (Aug 27, 2024): PR Welcome!
GiteaMirror commented 2026-04-19 20:24:09 -05:00
Author
Owner
Copy Link

@phil-ogb commented on GitHub (Sep 17, 2024):

PR: https://github.com/open-webui/open-webui/pull/5466

<!-- gh-comment-id:2354289769 --> @phil-ogb commented on GitHub (Sep 17, 2024): PR: https://github.com/open-webui/open-webui/pull/5466
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#13790
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?