fix(security): remove CSRF leak and add CSP headers

finbot/core/auth/middleware.py

@@ -149,7 +149,15 @@ def _add_security_headers(self, response: Response):
         """Add security headers"""
         response.headers["X-Content-Type-Options"] = "nosniff"
         response.headers["X-Frame-Options"] = "DENY"
-        response.headers["X-XSS-Protection"] = "1; mode=block"
+        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "
+            "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
+            "font-src 'self' https://fonts.gstatic.com; "
+            "img-src 'self' data: https://gravatar.com https://secure.gravatar.com; "
+            "connect-src 'self' ws: wss:;"
+        )
 
 
 # Dependencies for FastAPI routes

finbot/main.py

@@ -230,7 +230,6 @@ async def session_status(
         "is_temporary": session_context.is_temporary,
         "namespace": session_context.namespace,
         "security_status": session_context.get_security_status(),
-        "csrf_token": session_context.csrf_token,
     }