webui

Sabo/webui

Files

Cyprian Kowalczyk 392bc5df6e fix: add Content-Security-Policy and Permissions-Policy headers (#197 )

Add CSP and Permissions-Policy headers to _security_headers() for
defense-in-depth against XSS and unwanted browser feature access.

CSP policy:
  default-src 'self' — only load resources from same origin
  script-src 'self' — prevent inline/remote script injection
  style-src 'self' 'unsafe-inline' — allow themes (inline styles)
  img-src 'self' data: — allow workspace images and data URIs
  font-src 'self' data: — allow web fonts
  connect-src 'self' — only allow fetch/XHR to same origin
  base-uri 'self'; form-action 'self' — prevent base/form injection

Permissions-Policy: disable camera, microphone, geolocation.

Addresses #193.

2026-04-09 18:07:07 -07:00

__init__.py

Hermes Web UI — Sprints 11-14: multi-provider models, settings, session QoL, alerts, polish

2026-03-31 07:02:47 +00:00

auth.py

fix(auth): prune expired sessions on every verify to prevent memory leak (#196 )

2026-04-09 18:05:23 -07:00

config.py

feat: pluggable i18n with English/Chinese language switcher in Settings

2026-04-08 18:57:50 -07:00

helpers.py

fix: add Content-Security-Policy and Permissions-Policy headers (#197 )