Update: Uncomment check format

oh_security
TAMDeveloper13 1 month ago
parent 130f8acf8f
commit d2ecf0849e

@ -157,7 +157,7 @@ def security_headers_middleware(app: FastAPI):
security_headers_middleware(app) security_headers_middleware(app)
# app.add_middleware(RequestValidationMiddleware) app.add_middleware(RequestValidationMiddleware)
# app.add_middleware( # app.add_middleware(
# CSRFProtectMiddleware, # CSRFProtectMiddleware,
# excluded_paths=["/healthcheck"] # excluded_paths=["/healthcheck"]

@ -266,37 +266,37 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
return await handle_exception(request, exc) return await handle_exception(request, exc)
async def _validate_and_forward(self, request: Request, call_next): async def _validate_and_forward(self, request: Request, call_next):
# ------------------------- # # -------------------------
# 0. Header validation # # 0. Header validation
# ------------------------- # # -------------------------
header_keys = [key.lower() for key, _ in request.headers.items()] # header_keys = [key.lower() for key, _ in request.headers.items()]
# Check for duplicate headers # # Check for duplicate headers
header_counter = Counter(header_keys) # header_counter = Counter(header_keys)
duplicate_headers = [key for key, count in header_counter.items() if count > 1] # duplicate_headers = [key for key, count in header_counter.items() if count > 1]
ALLOW_DUPLICATE_HEADERS = {'accept', 'accept-encoding', 'accept-language', 'accept-charset', 'cookie'} # ALLOW_DUPLICATE_HEADERS = {'accept', 'accept-encoding', 'accept-language', 'accept-charset', 'cookie'}
real_duplicates = [h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS] # real_duplicates = [h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS]
if real_duplicates: # if real_duplicates:
raise HTTPException( # raise HTTPException(
status_code=422, # status_code=422,
detail=f"Duplicate headers detected: {real_duplicates}", # detail=f"Duplicate headers detected: {real_duplicates}",
) # )
# Whitelist headers # # Whitelist headers
unknown_headers = [key for key in header_keys if key not in ALLOWED_HEADERS] # unknown_headers = [key for key in header_keys if key not in ALLOWED_HEADERS]
if unknown_headers: # if unknown_headers:
filtered_unknown = [h for h in unknown_headers if not h.startswith('sec-')] # filtered_unknown = [h for h in unknown_headers if not h.startswith('sec-')]
if filtered_unknown: # if filtered_unknown:
raise HTTPException( # raise HTTPException(
status_code=422, # status_code=422,
detail=f"Unknown headers detected: {filtered_unknown}", # detail=f"Unknown headers detected: {filtered_unknown}",
) # )
# Inspect header values # # Inspect header values
for key, value in request.headers.items(): # for key, value in request.headers.items():
if value: # if value:
inspect_value(value, f"header '{key}'") # inspect_value(value, f"header '{key}'")
# ------------------------- # -------------------------
# 1. Query string limits # 1. Query string limits

Loading…
Cancel
Save