ENG-2192: Security Headers

[tvandort]

Ticket ENG-2192

Description Of Changes

Adds good practice security headers to Admin UI & Fides API.

Code Changes

Adds the following headers on routes:

• X-Content-Type-Options
• Strict-Transport-Security
• Content-Security-Policy
• X-Frame-Options

Steps to Confirm

1. set FIDES__SECURITY__HEADERS_MODE="recommended"
2. run fides after exporting the admin UI to serve it from port 8080
3. browse around
4. check the network panel to see that headers are applied

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 6, 2026 8:50pm
fides-privacy-center	Ignored		Jan 6, 2026 8:50pm

[codecov]

Codecov Report

❌ Patch coverage is 95.12195% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.25%. Comparing base (0bc95f8) to head (87bcb2a).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
src/fides/api/util/security_headers.py	94.59%	1 Missing and 1 partial ⚠️

❌ Your patch status has failed because the patch coverage (95.12%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7134   +/-   ##
=======================================
  Coverage   87.24%   87.25%           
=======================================
  Files         535      536    +1     
  Lines       35335    35375   +40     
  Branches     4114     4120    +6     
=======================================
+ Hits        30828    30865   +37     
- Misses       3617     3618    +1     
- Partials      890      892    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Summary

Adds configurable security headers middleware to Fides API and Admin UI. When FIDES__SECURITY__HEADERS_MODE="recommended" is set, responses include HSTS, X-Content-Type-Options, and path-based CSP and X-Frame-Options headers.

• Added SecurityHeadersMiddleware that applies headers based on regex path matching
• CSP and X-Frame-Options only applied to non-API routes (excluding /api and /health paths)
• HSTS and X-Content-Type-Options applied to all routes
• Configuration frozen at import time for performance (intentional design choice)

Issues found:

• Root path / won't receive CSP headers due to regex requiring at least one character after /
• Missing test coverage for root path behavior

Confidence Score: 4/5

• Safe to merge with minor fix needed for root path handling
• Implementation is solid with good test coverage. One logical issue with root path regex pattern prevents CSP headers from being applied to /, which may be unintended. All previous review concerns have been addressed.
• Focus on src/fides/api/util/security_headers.py:53 to fix root path matching

Important Files Changed

Filename	Overview
src/fides/api/util/security_headers.py	Adds new middleware to apply security headers based on path matching rules. Implements CSP, HSTS, X-Frame-Options, and X-Content-Type-Options headers.
src/fides/config/security_settings.py	Adds headers_mode configuration option to control security headers behavior.
src/fides/api/app_setup.py	Registers SecurityHeadersMiddleware to the FastAPI application.
tests/api/util/test_security_headers.py	Unit tests for security headers middleware covering pattern matching, header application, and recommended headers for different paths.

[greptile-apps]

_{4 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@grepileai review again pls

[tvandort]

@greptile pls rereview

[greptile-apps]

_{4 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@greptile pls rereview

[greptile-apps]

_{4 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@greptile pls rereview

[greptile-apps]

_{4 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}