decision/backend/app/middleware/security_headers.py

"""Security headers middleware: adds hardening headers to all responses.

Applies OWASP-recommended security headers to prevent common
web vulnerabilities (clickjacking, MIME sniffing, XSS, etc.).
"""

from __future__ import annotations

from starlette.middleware.base import BaseHTTPMiddleware
from starlette.requests import Request
from starlette.responses import Response


class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    """Add security headers to all HTTP responses.

    Headers applied:
    - ``X-Content-Type-Options: nosniff``
    - ``X-Frame-Options: DENY``
    - ``X-XSS-Protection: 1; mode=block``
    - ``Referrer-Policy: strict-origin-when-cross-origin``
    - ``Content-Security-Policy: default-src 'self'``
    - ``Strict-Transport-Security: max-age=31536000; includeSubDomains``
      (only when the request was made over HTTPS)
    """

    async def dispatch(self, request: Request, call_next) -> Response:
        response = await call_next(request)

        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["X-XSS-Protection"] = "1; mode=block"
        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
        response.headers["Content-Security-Policy"] = "default-src 'self'"

        # Only add HSTS header for HTTPS requests
        if request.url.scheme == "https":
            response.headers["Strict-Transport-Security"] = (
                "max-age=31536000; includeSubDomains"
            )

        return response