anderson-ufrj
commited on
Commit
·
be83f73
1
Parent(s):
c3929a8
fix(security): allow Chrome client hints headers in security middleware
Browse files- Add sec-ch-ua headers to allowed list
- Add sec-fetch headers for modern browsers
- Fix HuggingFace Spaces compatibility issue
- Prevent false positives for legitimate browser headers
src/api/middleware/security.py
CHANGED
|
@@ -293,7 +293,12 @@ class RequestValidator:
|
|
| 293 |
"host", "connection", "upgrade-insecure-requests",
|
| 294 |
"authorization", "x-api-key", "content-type", "content-length",
|
| 295 |
"cookie", "cache-control", "pragma", "expires",
|
| 296 |
-
"if-none-match", "if-modified-since"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 297 |
}
|
| 298 |
for name, value in request.headers.items():
|
| 299 |
if name.lower() in skip_headers:
|
|
|
|
| 293 |
"host", "connection", "upgrade-insecure-requests",
|
| 294 |
"authorization", "x-api-key", "content-type", "content-length",
|
| 295 |
"cookie", "cache-control", "pragma", "expires",
|
| 296 |
+
"if-none-match", "if-modified-since",
|
| 297 |
+
# Chrome client hints headers
|
| 298 |
+
"sec-ch-ua", "sec-ch-ua-mobile", "sec-ch-ua-platform",
|
| 299 |
+
"sec-fetch-dest", "sec-fetch-mode", "sec-fetch-site", "sec-fetch-user",
|
| 300 |
+
# Other security headers
|
| 301 |
+
"dnt", "x-requested-with", "x-csrf-token"
|
| 302 |
}
|
| 303 |
for name, value in request.headers.items():
|
| 304 |
if name.lower() in skip_headers:
|