Fix Swagger /docs page blocked by CSP

[JuliusScheuerer]

Summary

• Relax CSP for /docs and /openapi.json paths only, allowing cdn.jsdelivr.net for Swagger UI scripts/styles
• All other paths retain strict nonce-based CSP (no change to security posture of the main app)
• The docs page serves no user data, so the relaxed policy is safe

Test plan

• make check passes (275 tests, 95.50% coverage)
• Manual: visit /docs in browser, verify Swagger UI renders and is interactive

[greptile-apps]

Greptile Summary

This PR fixes Swagger UI being blocked by the application's Content-Security-Policy by introducing per-path CSP branching in SecurityHeadersMiddleware. The /docs and /openapi.json paths now receive a relaxed policy that allows scripts, styles, and images from cdn.jsdelivr.net plus 'unsafe-inline', while every other path retains the strict nonce-based CSP unchanged.

Key changes:

• Two new module-level constants (_SWAGGER_CDN, _SWAGGER_PATHS) clearly scope the relaxation to the docs surface.
• The implementation correctly uses request.url.path (no query string, no fragment) for exact-match routing, avoiding unintended policy widening.
• The security trade-off is reasonable: /docs serves no user data, so 'unsafe-inline' carries minimal practical risk.

Issues found:

• No tests were added for the new CSP branching logic; the existing TestCacheControlBranching pattern could be mirrored to cover both the relaxed and strict CSP paths.
• /docs/oauth2-redirect (FastAPI's built-in OAuth2 callback page for Swagger UI) is not in _SWAGGER_PATHS, which would cause the OAuth2 flow to break if security schemes are ever added to the spec.

Confidence Score: 4/5

• Safe to merge; the relaxation is tightly scoped to docs paths and does not affect the security posture of user-data routes.
• The core logic is correct and the security justification is sound. The two remaining items (missing tests and the /docs/oauth2-redirect gap) are non-blocking P2 suggestions rather than bugs in the current implementation.
• No files require special attention beyond the P2 suggestions already noted in src/document_anonymizer/security/middleware.py.

Important Files Changed

Filename	Overview
src/document_anonymizer/security/middleware.py	Adds per-path CSP branching: /docs and /openapi.json receive a relaxed policy allowing cdn.jsdelivr.net and 'unsafe-inline' for scripts/styles; all other paths keep the strict nonce-based policy. Logic is correct and well-scoped, but the new branch has no test coverage and /docs/oauth2-redirect is not included.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Incoming Request] --> B[Generate request_id & csp_nonce]
    B --> C[call_next — route handler]
    C --> D[Apply common headers\nHSTS, X-Frame-Options, etc.]
    D --> E{request.url.path\nin _SWAGGER_PATHS?}
    E -- Yes\n/docs or /openapi.json --> F["Relaxed CSP\nscript-src 'self' 'unsafe-inline' cdn.jsdelivr.net\nstyle-src 'self' 'unsafe-inline' cdn.jsdelivr.net\nimg-src 'self' data: cdn.jsdelivr.net"]
    E -- No\nall other paths --> G["Strict CSP\nscript-src 'self' 'nonce-{csp_nonce}'\nstyle-src 'self' 'unsafe-inline'\nimg-src 'self' data:"]
    F --> H[Apply Cache-Control & Permissions-Policy]
    G --> H
    H --> I[Return Response]

Loading

_{Reviews (1): Last reviewed commit: "Fix Swagger /docs page blocked by CSP" | Re-trigger Greptile}