From 4232d6625994df68358233a9662e1a0512c82952 Mon Sep 17 00:00:00 2001
From: Consultoria AS <dev@consultoria-as.com>
Date: Tue, 28 Apr 2026 04:47:24 +0000
Subject: [PATCH] security: CORS + headers de seguridad para
 3d.consultoria-as.com

- CORSMiddleware con dominio de produccion y localhost
- SecurityHeadersMiddleware: X-Frame-Options, CSP, nosniff, referrer-policy
- Titulo de app actualizado a PrintForge v2.2.0
---
 app/main.py | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/app/main.py b/app/main.py
index 86f387c..16a5b7e 100644
--- a/app/main.py
+++ b/app/main.py
@@ -1,6 +1,8 @@
 from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
 from fastapi.responses import FileResponse
+from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.base import BaseHTTPMiddleware
 from app.database import engine, Base
 from app.routers import models
 from app.migrate import run_migrations
@@ -10,7 +12,39 @@ import os
 Base.metadata.create_all(bind=engine)
 run_migrations()
 
-app = FastAPI(title="STL Repository", version="2.1.0")
+app = FastAPI(title="PrintForge", version="2.2.0")
+
+# CORS — allow production domain and local development
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=[
+        "https://3d.consultoria-as.com",
+        "http://localhost:8000",
+        "http://127.0.0.1:8000",
+    ],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Security headers middleware
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, request, call_next):
+        response = await call_next(request)
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
+            "style-src 'self' 'unsafe-inline'; "
+            "img-src 'self' data: blob:; "
+            "font-src 'self'; "
+            "connect-src 'self';"
+        )
+        return response
+
+app.add_middleware(SecurityHeadersMiddleware)
 
 app.include_router(models.router)