* fix(security): add HSTS and Permissions-Policy headers to SecurityHeadersMiddleware Strict-Transport-Security is sent only when the connection is HTTPS (detected via request.url.scheme or X-Forwarded-Proto: https), so plain-HTTP dev deployments behind a reverse proxy are unaffected. Permissions-Policy disables camera, microphone, and geolocation APIs unconditionally — Odysseus does not use them, and this prevents a successful XSS from requesting browser-native sensor access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): scope Permissions-Policy microphone directive to same-origin Reviewers on PR #3081 (alteixeira20, NubsCarson) flagged that microphone=() blocks mic access for same-origin (self) too, breaking Odysseus's own voice/STT flow (getUserMedia({audio: true}) in static/js/voiceRecorder.js). Scope it to microphone=(self) so third-party origins stay locked out while the app's own UI keeps mic access; camera and geolocation remain fully disabled as unused. Adds focused middleware tests covering HSTS scoping (HTTPS direct, X-Forwarded-Proto, absent on plain HTTP) and the Permissions-Policy same-origin microphone contract. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| atomic_io.py | ||
| auth.py | ||
| constants.py | ||
| database.py | ||
| exceptions.py | ||
| middleware.py | ||
| models.py | ||
| platform_compat.py | ||
| session_manager.py | ||