Spaces:

neural-thinker
/

cidadao.ai-backend

Paused

anderson-ufrj commited on Sep 19

Commit

ac4a861

1 Parent(s): 71ebb65

fix: expand header whitelist for API authentication and caching headers

Added essential HTTP headers to the security middleware skip list:
- authorization, x-api-key: Required for API authentication
- content-type, content-length: Standard HTTP headers
- cookie: Session management
- cache-control, pragma, expires: HTTP caching headers
- if-none-match, if-modified-since: Conditional request headers

These headers are commonly used in legitimate API requests and should
not be validated for suspicious patterns. This resolves the "Invalid
request headers" error when the frontend tries to communicate with
the backend API.

Files changed (1) hide show

src/api/middleware/security.py +4 -1

src/api/middleware/security.py CHANGED Viewed

@@ -235,7 +235,10 @@ class RequestValidator:
             "user-agent", "accept", "accept-language", "accept-encoding",
             "referer", "origin", "x-direct-url", "x-forwarded-for",
             "x-forwarded-proto", "x-forwarded-host", "x-real-ip",
-            "host", "connection", "upgrade-insecure-requests"
         }
         for name, value in request.headers.items():
             if name.lower() in skip_headers:

             "user-agent", "accept", "accept-language", "accept-encoding",
             "referer", "origin", "x-direct-url", "x-forwarded-for",
             "x-forwarded-proto", "x-forwarded-host", "x-real-ip",
+            "host", "connection", "upgrade-insecure-requests",
+            "authorization", "x-api-key", "content-type", "content-length",
+            "cookie", "cache-control", "pragma", "expires",
+            "if-none-match", "if-modified-since"
         }
         for name, value in request.headers.items():
             if name.lower() in skip_headers: