From 10cdb8a81a62d1d5bd240ae6b80b3ae430d2d4a2 Mon Sep 17 00:00:00 2001 From: busya Date: Tue, 26 May 2026 15:24:40 +0300 Subject: [PATCH] fix: replace TrustedHostMiddleware with proper HSTS middleware TrustedHostMiddleware blocked Vite proxied requests (Host: localhost:5173 vs allowed_hosts list). Replaced with simple HSTSMiddleware that adds Strict-Transport-Security header without blocking any requests. --- backend/src/app.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/backend/src/app.py b/backend/src/app.py index 87d30533..aecfaee5 100755 --- a/backend/src/app.py +++ b/backend/src/app.py @@ -19,9 +19,9 @@ import asyncio from fastapi import FastAPI, HTTPException, Request, WebSocket, WebSocketDisconnect from fastapi.middleware.cors import CORSMiddleware -from fastapi.middleware.trustedhost import TrustedHostMiddleware from fastapi.responses import FileResponse from fastapi.staticfiles import StaticFiles +from starlette.middleware.base import BaseHTTPMiddleware from starlette.middleware.sessions import SessionMiddleware from .api import auth @@ -190,11 +190,15 @@ app.add_middleware( allow_headers=["*"], ) -# HSTS — force HTTPS in production (see [SEC:L-2]) -app.add_middleware( - TrustedHostMiddleware, - allowed_hosts=_allowed_origins if _allowed_origins else ["*"], -) +# HSTS — Strict-Transport-Security header (see [SEC:L-2]) +class HSTSMiddleware(BaseHTTPMiddleware): + """Add Strict-Transport-Security header to every response.""" + async def dispatch(self, request: Request, call_next): + response = await call_next(request) + response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" + return response + +app.add_middleware(HSTSMiddleware) # #endregion app_middleware # #region network_error_handler [C:1] [TYPE Function] # @BRIEF Global exception handler for NetworkError.