Add improved security headers to FastAPI responses

README.md

@@ -163,7 +163,7 @@ kedro viz --save-file=filename.json
 
 We also recommend wrapping the `Kedro-Viz` component with a parent HTML/JSX element that has a specified height (as seen in the above example) in order for Kedro-Viz to be styled properly.
 
-**_Our documentation contains [additional examples on how to visualise with kedro-viz](https://docs.kedro.org/en/stable/visualisation/)_**
+**_Our documentation contains [additional examples on how to visualise with Kedro-Viz.](https://docs.kedro.org/en/stable/visualisation/)_**
 
 ## Feature Flags
 

package/kedro_viz/api/apps.py

@@ -5,6 +5,7 @@
 import time
 from pathlib import Path
 
+import secure
 from fastapi import FastAPI, HTTPException
 from fastapi.requests import Request
 from fastapi.responses import HTMLResponse, JSONResponse, Response
@@ -20,6 +21,8 @@
 
 _HTML_DIR = Path(__file__).parent.parent.absolute() / "html"
 
+secure_headers = secure.Secure()
+
 
 def _create_etag() -> str:
     """Generate the current timestamp to use as etag."""
@@ -56,6 +59,12 @@ def create_api_app_from_project(
     # this is used as an etag embedded in the frontend for client to use when making requests.
     app_etag = _create_etag()
 
+    @app.middleware("http")
+    async def set_secure_headers(request, call_next):
+        response = await call_next(request)
+        secure_headers.framework.fastapi(response)
+        return response
+
     @app.get("/")
     @app.get("/experiment-tracking")
     async def index():

package/requirements.txt

@@ -11,3 +11,4 @@ sqlalchemy>=1.4, <3
 strawberry-graphql>=0.99.0, <1.0
 networkx>=1.0
 orjson~=3.8
+secure>=0.3.0