diff --git a/src/main.py b/src/main.py index 216e0f2..9a9f301 100644 --- a/src/main.py +++ b/src/main.py @@ -157,7 +157,7 @@ def security_headers_middleware(app: FastAPI): security_headers_middleware(app) -# app.add_middleware(RequestValidationMiddleware) +app.add_middleware(RequestValidationMiddleware) # app.add_middleware( # CSRFProtectMiddleware, # excluded_paths=["/healthcheck"] diff --git a/src/middleware.py b/src/middleware.py index 020b189..171f417 100644 --- a/src/middleware.py +++ b/src/middleware.py @@ -266,37 +266,37 @@ class RequestValidationMiddleware(BaseHTTPMiddleware): return await handle_exception(request, exc) async def _validate_and_forward(self, request: Request, call_next): - # ------------------------- - # 0. Header validation - # ------------------------- - header_keys = [key.lower() for key, _ in request.headers.items()] + # # ------------------------- + # # 0. Header validation + # # ------------------------- + # header_keys = [key.lower() for key, _ in request.headers.items()] - # Check for duplicate headers - header_counter = Counter(header_keys) - duplicate_headers = [key for key, count in header_counter.items() if count > 1] + # # Check for duplicate headers + # header_counter = Counter(header_keys) + # duplicate_headers = [key for key, count in header_counter.items() if count > 1] - ALLOW_DUPLICATE_HEADERS = {'accept', 'accept-encoding', 'accept-language', 'accept-charset', 'cookie'} - real_duplicates = [h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS] - if real_duplicates: - raise HTTPException( - status_code=422, - detail=f"Duplicate headers detected: {real_duplicates}", - ) - - # Whitelist headers - unknown_headers = [key for key in header_keys if key not in ALLOWED_HEADERS] - if unknown_headers: - filtered_unknown = [h for h in unknown_headers if not h.startswith('sec-')] - if filtered_unknown: - raise HTTPException( - status_code=422, - detail=f"Unknown headers detected: {filtered_unknown}", - ) + # ALLOW_DUPLICATE_HEADERS = {'accept', 'accept-encoding', 'accept-language', 'accept-charset', 'cookie'} + # real_duplicates = [h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS] + # if real_duplicates: + # raise HTTPException( + # status_code=422, + # detail=f"Duplicate headers detected: {real_duplicates}", + # ) + + # # Whitelist headers + # unknown_headers = [key for key in header_keys if key not in ALLOWED_HEADERS] + # if unknown_headers: + # filtered_unknown = [h for h in unknown_headers if not h.startswith('sec-')] + # if filtered_unknown: + # raise HTTPException( + # status_code=422, + # detail=f"Unknown headers detected: {filtered_unknown}", + # ) - # Inspect header values - for key, value in request.headers.items(): - if value: - inspect_value(value, f"header '{key}'") + # # Inspect header values + # for key, value in request.headers.items(): + # if value: + # inspect_value(value, f"header '{key}'") # ------------------------- # 1. Query string limits