feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
"""Tests for security headers middleware."""
|
|
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
|
from fastapi import FastAPI
|
ruff (#169)
* polish: streamline nav, extract inline styles, improve tablet UX
- Restructure desktop nav from 8+ flat links + overflow dropdown into
5 grouped dropdowns (Core, Agents, Intel, System, More) matching
the mobile menu structure to reduce decision fatigue
- Extract all inline styles from mission_control.html and base.html
notification elements into mission-control.css with semantic classes
- Replace JS-built innerHTML with secure DOM construction in
notification loader and chat history
- Add CONNECTING state to connection indicator (amber) instead of
showing OFFLINE before WebSocket connects
- Add tablet breakpoint (1024px) with larger touch targets for
Apple Pencil / stylus use and safe-area padding for iPad toolbar
- Add active-link highlighting in desktop dropdown menus
- Rename "Mission Control" page title to "System Overview" to
disambiguate from the chat home page
- Add "Home — Timmy Time" page title to index.html
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
* fix(security): move auth-gate credentials to environment variables
Hardcoded username, password, and HMAC secret in auth-gate.py replaced
with os.environ lookups. Startup now refuses to run if any variable is
unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example.
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
* refactor(tooling): migrate from black+isort+bandit to ruff
Replace three separate linting/formatting tools with a single ruff
invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs),
.pre-commit-config.yaml, and CI workflow. Fixes all ruff errors
including unused imports, missing raise-from, and undefined names.
Ruff config maps existing bandit skips to equivalent S-rules.
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
---------
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-11 12:23:35 -04:00
|
|
|
from fastapi.responses import HTMLResponse
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
from fastapi.testclient import TestClient
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestSecurityHeadersMiddleware:
|
|
|
|
|
"""Test security headers are properly set on responses."""
|
|
|
|
|
|
|
|
|
|
@pytest.fixture
|
|
|
|
|
def client_with_headers(self):
|
|
|
|
|
"""Create a test client with security headers middleware."""
|
|
|
|
|
from dashboard.middleware.security_headers import SecurityHeadersMiddleware
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
app = FastAPI()
|
|
|
|
|
app.add_middleware(SecurityHeadersMiddleware)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
@app.get("/test")
|
|
|
|
|
def test_endpoint():
|
|
|
|
|
return {"message": "success"}
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
@app.get("/html")
|
|
|
|
|
def html_endpoint():
|
|
|
|
|
return HTMLResponse(content="<html><body>Test</body></html>")
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
return TestClient(app)
|
|
|
|
|
|
|
|
|
|
def test_x_content_type_options_header(self, client_with_headers):
|
|
|
|
|
"""X-Content-Type-Options should be set to nosniff."""
|
|
|
|
|
response = client_with_headers.get("/test")
|
|
|
|
|
assert response.headers.get("x-content-type-options") == "nosniff"
|
|
|
|
|
|
|
|
|
|
def test_x_frame_options_header(self, client_with_headers):
|
|
|
|
|
"""X-Frame-Options should be set to DENY."""
|
|
|
|
|
response = client_with_headers.get("/test")
|
2026-03-04 17:15:46 -05:00
|
|
|
assert response.headers.get("x-frame-options") == "SAMEORIGIN"
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
|
|
|
|
|
def test_x_xss_protection_header(self, client_with_headers):
|
|
|
|
|
"""X-XSS-Protection should be enabled."""
|
|
|
|
|
response = client_with_headers.get("/test")
|
|
|
|
|
assert "1; mode=block" in response.headers.get("x-xss-protection", "")
|
|
|
|
|
|
|
|
|
|
def test_referrer_policy_header(self, client_with_headers):
|
|
|
|
|
"""Referrer-Policy should be set."""
|
|
|
|
|
response = client_with_headers.get("/test")
|
|
|
|
|
assert response.headers.get("referrer-policy") == "strict-origin-when-cross-origin"
|
|
|
|
|
|
|
|
|
|
def test_permissions_policy_header(self, client_with_headers):
|
|
|
|
|
"""Permissions-Policy should restrict sensitive features."""
|
|
|
|
|
response = client_with_headers.get("/test")
|
|
|
|
|
policy = response.headers.get("permissions-policy", "")
|
|
|
|
|
assert "camera=()" in policy
|
|
|
|
|
assert "microphone=()" in policy
|
|
|
|
|
assert "geolocation=()" in policy
|
|
|
|
|
|
|
|
|
|
def test_content_security_policy_header(self, client_with_headers):
|
|
|
|
|
"""Content-Security-Policy should be set for HTML responses."""
|
|
|
|
|
response = client_with_headers.get("/html")
|
|
|
|
|
csp = response.headers.get("content-security-policy", "")
|
|
|
|
|
assert "default-src 'self'" in csp
|
|
|
|
|
assert "script-src" in csp
|
|
|
|
|
assert "style-src" in csp
|
|
|
|
|
|
|
|
|
|
def test_strict_transport_security_in_production(self):
|
|
|
|
|
"""HSTS header should be set in production mode."""
|
|
|
|
|
from dashboard.middleware.security_headers import SecurityHeadersMiddleware
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
app = FastAPI()
|
|
|
|
|
app.add_middleware(SecurityHeadersMiddleware, production=True)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
@app.get("/test")
|
|
|
|
|
def test_endpoint():
|
|
|
|
|
return {"message": "success"}
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
client = TestClient(app)
|
|
|
|
|
response = client.get("/test")
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
hsts = response.headers.get("strict-transport-security")
|
|
|
|
|
assert hsts is not None
|
|
|
|
|
assert "max-age=" in hsts
|
|
|
|
|
|
|
|
|
|
def test_strict_transport_security_not_in_dev(self, client_with_headers):
|
|
|
|
|
"""HSTS header should not be set in development mode."""
|
|
|
|
|
response = client_with_headers.get("/test")
|
|
|
|
|
assert "strict-transport-security" not in response.headers
|
|
|
|
|
|
|
|
|
|
def test_headers_on_error_response(self):
|
|
|
|
|
"""Security headers should be set even on error responses."""
|
|
|
|
|
from dashboard.middleware.security_headers import SecurityHeadersMiddleware
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
app = FastAPI()
|
|
|
|
|
app.add_middleware(SecurityHeadersMiddleware)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
@app.get("/error")
|
|
|
|
|
def error_endpoint():
|
|
|
|
|
raise ValueError("Test error")
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
# Use raise_server_exceptions=False to get the error response
|
|
|
|
|
client = TestClient(app, raise_server_exceptions=False)
|
|
|
|
|
response = client.get("/error")
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
# Even on 500 error, security headers should be present
|
|
|
|
|
assert response.status_code == 500
|
|
|
|
|
assert response.headers.get("x-content-type-options") == "nosniff"
|
2026-03-04 17:15:46 -05:00
|
|
|
assert response.headers.get("x-frame-options") == "SAMEORIGIN"
|