feat(security): Standardize Security Headers and CORS Policy Restrictions for Production Deployments

[advikdivekar]

Summary

Fixes #637

This PR hardens the web frontend and FastAPI backend against XSS, Clickjacking, and MIME-sniffing vulnerabilities by enforcing standard HTTP security headers and restricting CORS to authorized origins only.

Changes

• Frontend/vite.config.js — CSP + Security Headers for Vite

  • Full Content-Security-Policy header: whitelists self, Supabase (REST/Auth/Realtime), Google Fonts, Gemini API, local backend — blocks everything else
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY (clickjacking protection)
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy locks camera/mic/geolocation
  • Strict-Transport-Security in preview (production) mode
  • Added rollupOptions.manualChunks for vendor/ui bundle splitting

• backend/middleware/security_headers.py — Helmet-equivalent FastAPI middleware

  • SecurityHeadersMiddleware (Starlette BaseHTTPMiddleware) injects all headers into every response
  • _parse_allowed_origins() reads ALLOWED_ORIGINS env var (comma-separated), falling back to existing defaults
  • add_security_middleware(app) convenience function replaces the inline CORSMiddleware block in main.py — CORS origins are now environment-driven
  • Allows methods explicitly (GET, POST, PUT, PATCH, DELETE, OPTIONS) instead of wildcard

Migration

In backend/main.py, replace the existing inline CORS block:

# Before:
app.add_middleware(CORSMiddleware, allow_origins=["https://..."], ...)

# After:
from backend.middleware.security_headers import add_security_middleware
add_security_middleware(app)

Set ALLOWED_ORIGINS=https://helpdeskaiv1.vercel.app,https://staging.helpdesk.ai in your .env.

Test Plan

• Run vite dev and inspect response headers in browser DevTools — all security headers present
• Run FastAPI backend and curl -v /health — all Helmet headers in response
• Request from unlisted origin → CORS rejection (403/no Access-Control-Allow-Origin)
• Request from ALLOWED_ORIGINS origin → CORS headers present
• Verify CSP does not block Supabase auth calls or Gemini API

[vercel]

@advikdivekar is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d43808fe-6a60-41a9-aaa0-12f001864553

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[advikdivekar]

@ritesh-1918 please review my PR, thank you