admin/012-kaopeilian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 修复权限提升漏洞和添加安全头
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
安全修复:
- 创建 UserSelfUpdate schema,禁止用户修改自己的 role 和 is_active
- /users/me 端点现在使用 UserSelfUpdate 而非 UserUpdate

安全增强:
- 添加 SecurityHeadersMiddleware 中间件
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: 禁用敏感功能
- Cache-Control: API响应不缓存
This commit is contained in:
yuliang_guo
2026-01-31 10:57:41 +08:00
parent 52dccaab79
commit 79b55cfd12
4 changed files with 54 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/app/main.py
View File

@@ -98,13 +98,16 @@ app.add_middleware(
)
# 添加限流中间件
from app.core.middleware import RateLimitMiddleware
from app.core.middleware import RateLimitMiddleware, SecurityHeadersMiddleware
app.add_middleware(
RateLimitMiddleware,
requests_per_minute=120, # 每分钟最大请求数
burst_limit=200, # 突发请求限制
)
# 添加安全响应头中间件
app.add_middleware(SecurityHeadersMiddleware)
# 健康检查端点
@app.get("/health")