feat: standardize security headers and env-configurable CORS (#637)

[lb1192176991-lab]

What

Adds comprehensive HTTP security headers and makes CORS origins configurable via environment variable.

Backend (FastAPI)

• Added _SecurityHeadersMiddleware that sets: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection: 1; mode=block, Strict-Transport-Security: max-age=31536000; includeSubDomains, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), geolocation=()
• Made CORS allow_origins configurable via ALLOWED_ORIGINS env variable (comma-separated), falling back to the existing hardcoded defaults

Frontend (Vite)

• Added CSP meta tag: restricts scripts, styles, fonts, connections, frames, and form actions to authorized origins only
• Added X-Content-Type-Options, X-Frame-Options, and Referrer-Policy http-equiv meta tags for environments where server-side headers are not set

Why

Without these protections, the application is vulnerable to:

• Cross-Site Scripting (XSS) via inline script injection
• Clickjacking via iframe embedding
• MIME-type sniffing attacks
• Missing HSTS exposing users to SSL stripping
• CORS being locked to hardcoded values requiring code changes for new deployments

Testing

• Verified all backend security headers are set via middleware
• Verified CSP meta tags are present in the HTML
• Backend Python syntax verified with ast.parse
• CORS behavior unchanged for default origins; env-based override works when ALLOWED_ORIGINS is set

[vercel]

@lb1192176991-lab is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a042112b-517c-4364-8d03-e15c83cef574

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7cceee886d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow the actual backend origins in CSP

With the default frontend config, production API calls go to https://ritesh19180-ai-helpdesk-api.hf.space and local development goes to http://localhost:8000 (Frontend/src/config.js), but this new connect-src only allows the frontend origin and Supabase. In those default production/local environments the browser will block every fetch/axios request before CORS is reached, making auth and ticket APIs unusable unless the CSP also includes the configured backend origin(s).

Useful? React with 👍 / 👎.