-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature]: Add various security headers #3677
Labels
enhancement
New feature or request
Comments
@Manouchehri help me understand this more these are headers which are part of the request, which we need to return in the response headers? |
These headers should be added to all responses, the request itself shouldn't have an impact. |
what do these mean exactly? @Manouchehri and how might they change between requests? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Feature
LiteLLM should add the following headers:
content-security-policy
cross-origin-resource-policy
cross-origin-opener-policy
cross-origin-embedder-policy
x-frame-options
x-content-type-options
access-control-allow-origin
IMO should use
PROXY_BASE_URL
as a default to calculate these headers.Reasonable defaults for all requests/paths would be (assuming
PROXY_BASE_URL="https://example.com/"
:The CSP is a bit more complicated. For example, the CSP for
https://example.com/v1/chat/completions
andhttps://example.com/ui
will be completely different.This is an UNSAFE/bad example of a CSP for LiteLLM:
Motivation, pitch
Security hardening of LiteLLM is always a good idea imo. =)
Twitter / LinkedIn details
https://twitter.com/DaveManouchehri
The text was updated successfully, but these errors were encountered: