Spaces:

neural-thinker
/

cidadao.ai-backend

Paused

anderson-ufrj commited on Sep 19

Commit

5765075

1 Parent(s): 7878f71

fix: relax security middleware header validation

Modified the security middleware to skip validation of common browser
headers (user-agent, accept, referer, etc.) to prevent false positives.

The middleware was incorrectly flagging legitimate browser requests as
suspicious due to overly aggressive pattern matching on headers like
user-agent that contain "javascript" in browser identification strings.

Changes:
- Skip pattern validation for common browser headers
- Only validate custom headers and potentially dangerous ones
- Maintains security while allowing normal browser access

This resolves the 400 "Invalid request headers" errors in production.

Files changed (1) hide show

src/api/middleware/security.py +4 -1

src/api/middleware/security.py CHANGED Viewed

@@ -230,8 +230,11 @@ class RequestValidator:
         if headers_size > SecurityConfig.MAX_HEADER_SIZE:
             return False, "Headers too large"
-        # Check for suspicious headers
         for name, value in request.headers.items():
             if any(pattern.search(value) for pattern in self.suspicious_patterns):
                 return False, f"Suspicious content in header {name}"

         if headers_size > SecurityConfig.MAX_HEADER_SIZE:
             return False, "Headers too large"
+        # Check for suspicious headers (skip user-agent and common headers)
+        skip_headers = {"user-agent", "accept", "accept-language", "accept-encoding", "referer", "origin"}
         for name, value in request.headers.items():
+            if name.lower() in skip_headers:
+                continue
             if any(pattern.search(value) for pattern in self.suspicious_patterns):
                 return False, f"Suspicious content in header {name}"