eli-389 adding middleware to automatically add security headers to our responses

eddalmond1 · eddalmond1 · commit 5580fc3f4654 · 2025-11-05T14:25:41.000Z
diff --git a/src/eligibility_signposting_api/middleware/__init__.py b/src/eligibility_signposting_api/middleware/__init__.py
@@ -0,0 +1,5 @@
+"""Middleware package for the Eligibility Signposting API."""
+
+from eligibility_signposting_api.middleware.security_headers import SecurityHeadersMiddleware
+
+__all__ = ["SecurityHeadersMiddleware"]
diff --git a/src/eligibility_signposting_api/middleware/security_headers.py b/src/eligibility_signposting_api/middleware/security_headers.py
@@ -0,0 +1,60 @@
+"""Security headers middleware for Flask application.
+
+This middleware adds security headers to all responses from the Lambda function.
+These headers are applied to successful responses (200, 201, etc.) from the application.
+
+For API Gateway error responses (4xx, 5xx generated by API Gateway itself),
+see gateway_responses.tf in the infrastructure configuration.
+"""
+
+from typing import ClassVar
+
+from flask import Flask, Response
+
+
+class SecurityHeadersMiddleware:
+    """Middleware to add security headers to all Flask responses."""
+
+    # Security headers recommended for NHS APIs
+    SECURITY_HEADERS: ClassVar[dict[str, str]] = {
+        "Cache-Control": "no-store, private",
+        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+        "X-Content-Type-Options": "nosniff",
+    }
+
+    def __init__(self, app: Flask | None = None) -> None:
+        """Initialize the middleware.
+
+        Args:
+            app: Flask application instance. Can be provided later via init_app()
+        """
+        if app is not None:
+            self.init_app(app)
+
+    def init_app(self, app: Flask) -> None:
+        """Initialize the middleware with a Flask application.
+
+        Args:
+            app: Flask application instance to apply middleware to
+        """
+        app.after_request(self.add_security_headers)
+
+    @classmethod
+    def add_security_headers(cls, response: Response) -> Response:
+        """Add security headers to the Flask response.
+
+        This is called automatically by Flask after each request.
+
+        Args:
+            response: Flask response object
+
+        Returns:
+            Modified response object with security headers added
+        """
+        for header, value in cls.SECURITY_HEADERS.items():
+            # Only add header if it doesn't already exist
+            # This allows specific endpoints to override if needed
+            if header not in response.headers:
+                response.headers[header] = value
+
+        return response
