ENG-2192: Security Headers

[tvandort]

Ticket ENG-2192

Description Of Changes

Adds good practice security headers to Admin UI & Fides API.

Code Changes

Adds the following headers on routes:

• X-Content-Type-Options
• Strict-Transport-Security
• Content-Security-Policy
• X-Frame-Options

Steps to Confirm

1. set FIDES__SECURITY__HEADERS_MODE="recommended"
2. run fides after exporting the admin UI to serve it from port 8080
3. browse around
4. check the network panel to see that headers are applied

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 5, 2026 10:16pm
fides-privacy-center	Ignored		Jan 5, 2026 10:16pm

[codecov]

Codecov Report

❌ Patch coverage is 85.71429% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.17%. Comparing base (cfbf98a) to head (b2badd6).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
src/fides/api/util/security_headers.py	84.21%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7134      +/-   ##
==========================================
- Coverage   87.17%   87.17%   -0.01%     
==========================================
  Files         535      536       +1     
  Lines       35330    35371      +41     
  Branches     4113     4120       +7     
==========================================
+ Hits        30800    30835      +35     
- Misses       3639     3643       +4     
- Partials      891      893       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Summary

Adds configurable security headers (X-Content-Type-Options, Strict-Transport-Security, Content-Security-Policy, X-Frame-Options) to Fides API responses via new middleware. The feature is controlled by FIDES__SECURITY__HEADERS_MODE config setting (defaults to "none").

Key changes:

• New SecurityHeadersMiddleware applies headers based on path-matching rules
• Headers apply to all routes, with CSP/X-Frame-Options excluded from /api/* and /health endpoints
• Configuration uses literal type union for type-safe mode selection

Critical issues found:

• The is_exact_match() function has a bug that will crash when regex doesn't match (accessing .string on None)
• Module-level config evaluation freezes header mode at import time, preventing runtime config changes
• Regex pattern for excluding API/health endpoints may not work correctly due to missing anchor
• Test expectations don't align with "exact match" function semantics

Confidence Score: 2/5

• Not safe to merge - contains critical bugs that will cause runtime failures
• The implementation has a critical bug in is_exact_match() that will raise AttributeError when paths don't match patterns, and the module-level config evaluation prevents runtime configuration changes. These are blocking issues.
• src/fides/api/util/security_headers.py requires fixes for the is_exact_match() bug and config evaluation timing, and tests/api/util/test_security_headers.py needs corrected test expectations and integration tests

Important Files Changed

Filename	Overview
src/fides/config/security_settings.py	Added headers_mode configuration field with safe defaults
src/fides/api/app_setup.py	Added middleware registration for security headers
src/fides/api/util/security_headers.py	Implemented security headers middleware with pattern matching logic - has a critical regex matching bug
tests/api/util/test_security_headers.py	Basic unit tests for helper functions - missing integration tests for actual header application

[greptile-apps]

_{4 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Module-level config evaluation will freeze the value at import time. If headers_mode changes at runtime, this won't reflect the change. Move this check inside the middleware dispatch method.

Suggested change

	apply_recommended_headers = CONFIG.security.headers_mode == "recommended"
	# Remove this line - the check should be done at request time in the middleware

[tvandort]

This is intended to make sure we don't access the config object on each request.

[tvandort]

@grepileai review again pls