Problem Statement
No HTTP security headers are set in FastAPI middleware or nginx configurations. Missing: Content-Security-Policy (XSS prevention), Strict-Transport-Security (MITM prevention), X-Frame-Options (clickjacking prevention), X-Content-Type-Options (MIME-sniffing prevention), Referrer-Policy.
Evidence
quantara/web_app/api/main.py: Only SessionMiddleware and CORSMiddleware — no security header middleware
quantara/frontend/quantara.conf: SSL configured but no add_header directives for security headers
quantara/frontend/quantara_dev.conf: Same gap
Impact
Medium — multiple web attack vectors. Without CSP: XSS attacks execute arbitrary scripts. Without HSTS: MITM can downgrade to HTTP. Without X-Frame-Options: clickjacking possible on the web interface.
Proposed Solution
Add Starlette BaseHTTPMiddleware to inject security headers on all FastAPI responses. Configure nginx to add same headers at reverse proxy level as defense-in-depth. CSP: 'self', https://*.stellar.org, Freighter wallet API. HSTS: max-age=31536000; includeSubDomains in production only.
Acceptance Criteria
File Map
quantara/web_app/api/main.py — add security header middleware
quantara/frontend/quantara.conf — add nginx add_header directives
quantara/frontend/quantara_dev.conf — add nginx security headers (shorter HSTS for dev)
Testing Strategy
- Unit: Test middleware injects correct headers
- Integration:
curl -I to verify all headers present
- Manual: Use securityheaders.com or Mozilla Observatory to scan deployed app
Security Considerations
Start CSP with Content-Security-Policy-Report-Only to identify blocked resources before enforcing. Use defense-in-depth: both FastAPI middleware and nginx headers.
Definition of Done
Labels: security
Priority: Medium
Difficulty: Intermediate
Estimated Effort: 2h
Problem Statement
No HTTP security headers are set in FastAPI middleware or nginx configurations. Missing: Content-Security-Policy (XSS prevention), Strict-Transport-Security (MITM prevention), X-Frame-Options (clickjacking prevention), X-Content-Type-Options (MIME-sniffing prevention), Referrer-Policy.
Evidence
quantara/web_app/api/main.py: OnlySessionMiddlewareandCORSMiddleware— no security header middlewarequantara/frontend/quantara.conf: SSL configured but noadd_headerdirectives for security headersquantara/frontend/quantara_dev.conf: Same gapImpact
Medium — multiple web attack vectors. Without CSP: XSS attacks execute arbitrary scripts. Without HSTS: MITM can downgrade to HTTP. Without X-Frame-Options: clickjacking possible on the web interface.
Proposed Solution
Add Starlette
BaseHTTPMiddlewareto inject security headers on all FastAPI responses. Configure nginx to add same headers at reverse proxy level as defense-in-depth. CSP:'self',https://*.stellar.org, Freighter wallet API. HSTS:max-age=31536000; includeSubDomainsin production only.Acceptance Criteria
ENV_VERSION=PRODFile Map
quantara/web_app/api/main.py— add security header middlewarequantara/frontend/quantara.conf— add nginxadd_headerdirectivesquantara/frontend/quantara_dev.conf— add nginx security headers (shorter HSTS for dev)Testing Strategy
curl -Ito verify all headers presentSecurity Considerations
Start CSP with
Content-Security-Policy-Report-Onlyto identify blocked resources before enforcing. Use defense-in-depth: both FastAPI middleware and nginx headers.Definition of Done
Labels: security
Priority: Medium
Difficulty: Intermediate
Estimated Effort: 2h