Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Add various security headers #3677

Open
Manouchehri opened this issue May 16, 2024 · 3 comments
Open

[Feature]: Add various security headers #3677

Manouchehri opened this issue May 16, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@Manouchehri
Copy link
Collaborator

The Feature

LiteLLM should add the following headers:

  1. content-security-policy
  2. cross-origin-resource-policy
  3. cross-origin-opener-policy
  4. cross-origin-embedder-policy
  5. x-frame-options
  6. x-content-type-options
  7. access-control-allow-origin

IMO should use PROXY_BASE_URL as a default to calculate these headers.

Reasonable defaults for all requests/paths would be (assuming PROXY_BASE_URL="https://example.com/":

x-content-type-options: nosniff
x-frame-options: DENY
cross-origin-resource-policy: same-origin
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp
access-control-allow-origin: https://example.com

The CSP is a bit more complicated. For example, the CSP for https://example.com/v1/chat/completions and https://example.com/ui will be completely different.

This is an UNSAFE/bad example of a CSP for LiteLLM:

content-security-policy: default-src * 'unsafe-inline'; img-src * 'self' data:

Motivation, pitch

Security hardening of LiteLLM is always a good idea imo. =)

Twitter / LinkedIn details

https://twitter.com/DaveManouchehri
@Manouchehri Manouchehri added the enhancement New feature or request label May 16, 2024
@krrishdholakia
Copy link
Contributor

@Manouchehri help me understand this more

these are headers which are part of the request, which we need to return in the response headers?

@Manouchehri
Copy link
Collaborator Author

These headers should be added to all responses, the request itself shouldn't have an impact.

@krrishdholakia
Copy link
Contributor 

content-security-policy
cross-origin-resource-policy
cross-origin-opener-policy
cross-origin-embedder-policy
x-frame-options
x-content-type-options
access-control-allow-origin

what do these mean exactly? @Manouchehri

and how might they change between requests?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Manouchehri @krrishdholakia