From d8c947f88fc4c04f74795f2402cd37beb0a71b0e Mon Sep 17 00:00:00 2001 From: Rene Luria Date: Wed, 8 Jul 2026 13:50:23 +0200 Subject: [PATCH] fix(security): add nonce-based CSP header to frontend route --- main.py | 21 ++++++++++++++++++++- tests/test_main.py | 20 ++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/main.py b/main.py index 2c46d08..2d25ee8 100644 --- a/main.py +++ b/main.py @@ -7,6 +7,7 @@ from typing import Optional import jwt import requests import os +import secrets from functools import lru_cache app = FastAPI(title="OIDC Token Validator") @@ -326,9 +327,27 @@ async def validate_token(request: TokenValidationRequest): @app.get("/", response_class=HTMLResponse) async def read_root(): """Serve the frontend HTML file""" + nonce = secrets.token_urlsafe(16) with open("templates/index.html", "r") as file: html_content = file.read() - return HTMLResponse(content=html_content, status_code=200) + html_content = html_content.replace( + '