""" Security middleware for FastAPI application. Implements rate limiting, security headers, and CORS configuration. """ from fastapi import Request, HTTPException, status from fastapi.responses import JSONResponse from starlette.middleware.base import BaseHTTPMiddleware from starlette.middleware.cors import CORSMiddleware from collections import defaultdict from datetime import datetime, timedelta from typing import Dict, Tuple import time class RateLimitMiddleware(BaseHTTPMiddleware): """Rate limiting middleware to prevent abuse.""" def __init__(self, app, requests_per_minute: int = 60): super().__init__(app) self.requests_per_minute = requests_per_minute self.requests: Dict[str, list] = defaultdict(list) async def dispatch(self, request: Request, call_next): """Process request with rate limiting.""" # Get client IP client_ip = request.client.host # Skip rate limiting for health checks if request.url.path == "/health": return await call_next(request) # Clean old requests now = time.time() cutoff = now - 60 # 1 minute ago self.requests[client_ip] = [ req_time for req_time in self.requests[client_ip] if req_time > cutoff ] # Check rate limit if len(self.requests[client_ip]) >= self.requests_per_minute: return JSONResponse( status_code=status.HTTP_429_TOO_MANY_REQUESTS, content={ "detail": "Rate limit exceeded. Please try again later.", "retry_after": 60 }, headers={"Retry-After": "60"} ) # Add current request self.requests[client_ip].append(now) # Process request response = await call_next(request) # Add rate limit headers remaining = self.requests_per_minute - len(self.requests[client_ip]) response.headers["X-RateLimit-Limit"] = str(self.requests_per_minute) response.headers["X-RateLimit-Remaining"] = str(max(0, remaining)) response.headers["X-RateLimit-Reset"] = str(int(now + 60)) return response class SecurityHeadersMiddleware(BaseHTTPMiddleware): """Add security headers to all responses.""" async def dispatch(self, request: Request, call_next): """Add security headers.""" response = await call_next(request) # Prevent clickjacking response.headers["X-Frame-Options"] = "SAMEORIGIN" # Prevent MIME sniffing response.headers["X-Content-Type-Options"] = "nosniff" # XSS Protection (legacy but still useful) response.headers["X-XSS-Protection"] = "1; mode=block" # Content Security Policy csp = ( "default-src 'self'; " "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " "style-src 'self' 'unsafe-inline'; " "img-src 'self' data: https:; " "font-src 'self' data:; " "connect-src 'self'; " "frame-ancestors 'self';" ) response.headers["Content-Security-Policy"] = csp # Strict Transport Security (HTTPS only) # Uncomment when using HTTPS # response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" # Referrer Policy response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" # Permissions Policy (formerly Feature-Policy) response.headers["Permissions-Policy"] = ( "geolocation=(), " "microphone=(), " "camera=(), " "payment=()" ) return response def configure_cors(app, allowed_origins: list = None): """Configure CORS with security best practices.""" if allowed_origins is None: # Default: allow only localhost in development allowed_origins = [ "http://localhost:3000", "http://localhost:5173", "http://localhost:8000", ] app.add_middleware( CORSMiddleware, allow_origins=allowed_origins, allow_credentials=True, allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE"], allow_headers=["*"], max_age=600, # Cache preflight for 10 minutes ) def setup_security_middleware(app, rate_limit: int = 60, allowed_origins: list = None): """Set up all security middleware.""" # Add rate limiting app.add_middleware(RateLimitMiddleware, requests_per_minute=rate_limit) # Add security headers app.add_middleware(SecurityHeadersMiddleware) # Configure CORS configure_cors(app, allowed_origins)