diff --git a/backend/src/app.py b/backend/src/app.py index 87d30533..aecfaee5 100755 --- a/backend/src/app.py +++ b/backend/src/app.py @@ -19,9 +19,9 @@ import asyncio from fastapi import FastAPI, HTTPException, Request, WebSocket, WebSocketDisconnect from fastapi.middleware.cors import CORSMiddleware -from fastapi.middleware.trustedhost import TrustedHostMiddleware from fastapi.responses import FileResponse from fastapi.staticfiles import StaticFiles +from starlette.middleware.base import BaseHTTPMiddleware from starlette.middleware.sessions import SessionMiddleware from .api import auth @@ -190,11 +190,15 @@ app.add_middleware( allow_headers=["*"], ) -# HSTS — force HTTPS in production (see [SEC:L-2]) -app.add_middleware( - TrustedHostMiddleware, - allowed_hosts=_allowed_origins if _allowed_origins else ["*"], -) +# HSTS — Strict-Transport-Security header (see [SEC:L-2]) +class HSTSMiddleware(BaseHTTPMiddleware): + """Add Strict-Transport-Security header to every response.""" + async def dispatch(self, request: Request, call_next): + response = await call_next(request) + response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" + return response + +app.add_middleware(HSTSMiddleware) # #endregion app_middleware # #region network_error_handler [C:1] [TYPE Function] # @BRIEF Global exception handler for NetworkError.