ENG-2404: Update CSP headers to include docs pages

[tvandort]

Ticket ENG-2404

Description Of Changes

Updates CSP header definitions to include docs pages. These were broken when FIDES__SECURITY__HEADER_MODE was set to recommended.

The changes include domains for scripts, styles, and images that are required for the respective page to load.

Code Changes

• Added CSP definition for Swagger on /docs
• Added CSP definition for Redoc on /redoc

Steps to Confirm

1. Set FIDES__SECURITY__HEADER_MODE=recommended
2. Start Fides API
3. Browse to /docs make sure the page loads and the console doesn't log any CSP errors
4. Browse to /redoc make sure the page loads and the console doesn't log any CSP errors

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 28, 2026 6:39pm
fides-privacy-center	Ignored		Jan 28, 2026 6:39pm

[greptile-apps]

Greptile Summary

This PR adds Content Security Policy (CSP) headers for the /docs (Swagger) and /redoc API documentation endpoints to fix broken pages when FIDES__SECURITY__HEADER_MODE is set to recommended.

Changes include:

• Added domain constants for external CDNs (cdn.jsdelivr.net, fastapi.tiangolo.com, cdn.redoc.ly, Google Fonts domains)
• Created two new CSP header configurations: recommended_csp_header_value_for_swagger and recommended_csp_header_value_for_redoc
• Updated the negative lookahead regex pattern to exclude /docs and /redoc from the default CSP policy
• Added two new HeaderRule entries for the /docs and /redoc endpoints with their specific CSP configurations
• Added comprehensive test coverage for both new endpoints

The implementation correctly whitelists the necessary external resources (scripts, styles, fonts, images) required for each documentation page to render properly while maintaining security through CSP.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are straightforward and well-tested, adding CSP headers for documentation endpoints. The implementation follows existing patterns, includes comprehensive test coverage, and only affects security headers for two specific endpoints. No logic changes to core functionality.
• No files require special attention

Important Files Changed

Filename	Overview
changelog/7235-add-docs-csp-headers.yaml	Changelog entry properly formatted with correct type, description, and PR number
src/fides/api/util/security_headers.py	Added CSP configurations for /docs and /redoc endpoints with appropriate domain whitelisting for Swagger and Redoc dependencies
tests/api/util/test_security_headers.py	Comprehensive test coverage added for new /docs and /redoc security headers

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@gretile pls rereview

[tvandort]

@greptile pls rereview

[galvana]

Set the environment variable and verified /docs and /redoc don't return any CSP errors in the console