Skip to content

ENG-1855 Privacy Center security headers #6906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tvandort merged 23 commits into from
Dec 5, 2025
Merged

ENG-1855 Privacy Center security headers #6906

tvandort merged 23 commits into from
Dec 5, 2025

Conversation

@tvandort
Copy link
Contributor

@tvandort tvandort commented Nov 3, 2025
edited
Loading

Ticket ENG-1855

Description Of Changes

This PR adds security related headers to Privacy Center responses when the Privacy Center environment variable FIDES_PRIVACY_CENTER__SECURITY_HEADERS_MODE is set to recommended.

The security headers added to every response are:

  • X-Content-Type-Options: "nosniff"
  • Cache-Control: "no-cache, no-store, must-revalidate"
  • Strict-Transport-Security: "max-age=31536000"

The security headers conditionally added are:

  • X-Frame-Options SAMEORIGIN on everything but /embedded-consent.html

The security headers added to "page like" responses are:

  • Content-Security-Policy. This Policy changes depend on the mode and configuration of Fides please review the PR.

Steps to Confirm

  1. Set FIDES_PRIVACY_CENTER__SECURITY_HEADERS_MODE to recommended
  2. Start Privacy Center
  3. Visit Privacy center in a browser
  4. Check the response headers on / index
  5. Check the response headers on /fides.js
  6. Check the response headers on _next/* paths

Pre-Merge Checklist

  • Issue requirements met
  • All CI pipelines succeeded
  • CHANGELOG.md updated
    • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
    • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
    • Updates unreleased work already in Changelog, no new entry necessary
  • UX feedback:
    • All UX related changes have been reviewed by a designer
    • No UX review needed
  • Followup issues:
    • Followup issues created
    • No followup issues
  • Database migrations:
    • Ensure that your downrev is up to date with the latest revision on main
    • Ensure that your downgrade() migration is correct and works
      • If a downgrade migration is not possible for this change, please call this out in the PR description!
    • No migrations
  • Documentation:
    • Documentation complete, PR opened in fidesdocs
    • Documentation issue created in fidesdocs
    • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
    • No documentation updates required

@vercel
Copy link

vercel bot commented Nov 3, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Preview Comments Updated (UTC)
fides-plus-nightly Ignored Ignored Preview Dec 5, 2025 5:54pm
fides-privacy-center Ignored Ignored Dec 5, 2025 5:54pm

@tvandort tvandort force-pushed the ENG-1855-security-headers branch 2 times, most recently from 75c47e3 to afd7826 Compare November 19, 2025 14:35
@tvandort tvandort marked this pull request as ready for review November 19, 2025 14:35
@tvandort tvandort requested a review from a team as a code owner November 19, 2025 14:35
@tvandort tvandort requested review from gilluminate and removed request for a team November 19, 2025 14:35
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Nov 19, 2025
edited
Loading

Greptile Overview

Greptile Summary

Adds security headers to Privacy Center responses when FIDES_PRIVACY_CENTER__SECURITY_HEADERS_MODE is set to recommended. The implementation includes standard security headers (X-Content-Type-Options, Cache-Control, Strict-Transport-Security) and content-specific CSP policies with nonce support for dynamic pages.

Major Issues Found:

  • Malformed regex on line 75 of recommendedSecurityHeaders.ts - the pattern /\/?!embedded-consent\.html/ has incorrect negative lookahead syntax
  • Regex on line 79 has trailing pipe | that matches empty strings, causing unintended matcher behavior
  • Missing test coverage for critical regex matchers that control security header routing

Architecture:

  • Clean separation with header utilities in headers.ts and security-specific rules in recommendedSecurityHeaders.ts
  • Middleware properly caches settings to avoid repeated parsing
  • CSP policies differentiated by page type (static vs dynamic vs embedded)

Confidence Score: 2/5

  • Not safe to merge - contains regex bugs that break security header routing
  • Two critical regex syntax errors will cause X-Frame-Options and CSP headers to apply incorrectly. The malformed negative lookahead and trailing pipe operator mean security headers won't be applied to the right paths, potentially leaving pages unprotected or breaking embedded consent functionality
  • recommendedSecurityHeaders.ts requires immediate fixes to regex patterns before merging

Important Files Changed

File Analysis

Filename Score Overview
clients/privacy-center/app/server-utils/recommendedSecurityHeaders.ts 2/5 Implements CSP headers and security rules with regex pattern issue on line 75
clients/privacy-center/middleware.ts 4/5 Integrates security headers into middleware with proper caching
clients/privacy-center/app/server-utils/headers.ts 5/5 Clean header utility implementation with good separation of concerns
clients/privacy-center/tests/server-utils/recommendedSecurityHeaders.test.ts 4/5 Tests CSP header generation but lacks regex matcher validation

greptile-apps[bot]
greptile-apps bot reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

9 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format

@gilluminate
Copy link
Contributor

gilluminate commented Nov 19, 2025

@tvandort when I test this locally, it breaks the Demo page
/fides-js-demo.html?geolocation=us-ut

gilluminate
gilluminate reviewed Nov 19, 2025
View reviewed changes
@tvandort
Copy link
Contributor Author

tvandort commented Nov 20, 2025

@tvandort when I test this locally, it breaks the Demo page /fides-js-demo.html?geolocation=us-ut

Yeah I noticed this just after putting the PR. I need to do something more nuanced than what I've done here so I'm currently working on that.

Will address other review comments and rerequest when done.

@tvandort tvandort force-pushed the ENG-1855-security-headers branch from eb5b641 to 4b8be9d Compare November 24, 2025 20:52
@tvandort tvandort requested a review from gilluminate November 24, 2025 21:34
@tvandort tvandort force-pushed the ENG-1855-security-headers branch from 930c3ab to 0c72c09 Compare November 24, 2025 21:35
@tvandort
Copy link
Contributor Author

tvandort commented Nov 24, 2025

@gilluminate I refactored this pretty significantly which I think in turn addressed all your review comments. Of course... everything is now pretty different so it might be worthwhile to pretend it's new.

@tvandort
Copy link
Contributor Author

tvandort commented Nov 24, 2025

@greptileai

greptile-apps[bot]
greptile-apps bot reviewed Nov 24, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

10 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

@tvandort tvandort force-pushed the ENG-1855-security-headers branch from 6694589 to df95e02 Compare November 24, 2025 22:20
gilluminate
gilluminate reviewed Nov 24, 2025
View reviewed changes
@tvandort tvandort force-pushed the ENG-1855-security-headers branch from ac75f85 to 166853f Compare November 25, 2025 16:57
@tvandort tvandort requested a review from gilluminate November 25, 2025 18:24
gilluminate
gilluminate reviewed Nov 25, 2025
View reviewed changes
@tvandort tvandort force-pushed the ENG-1855-security-headers branch 2 times, most recently from 0826f3a to 78df792 Compare December 3, 2025 22:07
@tvandort tvandort added this pull request to the merge queue Dec 5, 2025
github-merge-queue bot pushed a commit that referenced this pull request Dec 5, 2025
@tvandort @gilluminate
ENG-1855 Privacy Center security headers (#6906)
53463fd 
Co-authored-by: Jason Gill <jason.gill@ethyca.com>
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 5, 2025
tvandort and others added 19 commits December 5, 2025 12:51
@tvandort
safely get url tests.
a44e8c7
@tvandort
Silence tests.
97d4cb2
@tvandort
get header rules
b10ac8a
@tvandort
Test context appliers.
59f3752
@tvandort
Response header tests.
c94af8c
@tvandort
Recommended tests
c209e29
@tvandort
Allow frame ancestors for embedded-consent.
bae8a6e
@tvandort
Why did that change?
c81d3ff
@tvandort
Fix negative lookahead.
d07bf99
@tvandort
Fix negative lookahead.
c60824b
@tvandort @gilluminate
Update clients/privacy-center/app/server-utils/recommendedSecurityHea…
cb46d8c 
…ders.ts

Co-authored-by: Jason Gill <jason.gill@ethyca.com>
@tvandort @gilluminate
Update clients/privacy-center/__tests__/server-utils/recommendedSecur…
8db08c0 
…ityHeaders.test.ts

Co-authored-by: Jason Gill <jason.gill@ethyca.com>
@tvandort
PR feedback.
5373218
@tvandort
Update snapshots.
c13d233
@tvandort
Improve documentation.
0b0b3ca
@tvandort
Update test filename.
f408ed2
@tvandort
Update description.
f387f4e
@tvandort
Update based on platform team review.
db81945
@tvandort
Update changelog.
22fab20
@tvandort tvandort force-pushed the ENG-1855-security-headers branch from 78df792 to 22fab20 Compare December 5, 2025 17:51
@tvandort tvandort enabled auto-merge December 5, 2025 17:52
@tvandort tvandort disabled auto-merge December 5, 2025 17:52
@tvandort tvandort enabled auto-merge December 5, 2025 17:55
@tvandort tvandort added this pull request to the merge queue Dec 5, 2025
Merged via the queue into main with commit ccab657 Dec 5, 2025
43 checks passed
@tvandort tvandort deleted the ENG-1855-security-headers branch December 5, 2025 18:04
tvandort added a commit that referenced this pull request Dec 5, 2025
@tvandort @gilluminate
ENG-1855 Privacy Center security headers (#6906)
f695a10 
Co-authored-by: Jason Gill <jason.gill@ethyca.com>
@daveqnet daveqnet mentioned this pull request Dec 17, 2025
Merged
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gilluminate gilluminate gilluminate approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tvandort @gilluminate