feat(dataviewer): add OWASP security middleware stack

[katriendg]

Description

Added a layered OWASP security middleware stack to the dataviewer FastAPI backend, addressing clickjacking, MIME-sniffing, CSRF scoping, request body bombs, brute force via rate limiting, and information disclosure through exception handler filtering. The implementation follows the existing ASGI middleware pattern and integrates with the authentication layer while keeping all thresholds configurable via environment variables.

Closes #118

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Bug Fix Checklist

Complete this section for bug fix PRs. Skip for other contribution types.

• Linked to issue being fixed
• Regression test included, OR
• Justification for no regression test:

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

---

Changes

Security Middleware

A new middleware.py module introduced two ASGI middleware classes that compose into the existing Starlette stack.

• SecurityHeadersMiddleware injects five OWASP baseline headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy) on every HTTP response, with a conditional CSP applied only to non-API paths to avoid breaking frontend dev-server proxies
• ContentSizeLimitMiddleware enforces request body size limits with a dual-check strategy — validates the Content-Length header upfront and tracks streaming bytes for chunked transfers, returning HTTP 413 when exceeded
  • Configurable via MAX_REQUEST_BODY_BYTES (default 10 MB)

Application-Level Hardening

Custom exception handlers in main.py prevent information leakage by returning generic error responses to clients while logging full tracebacks server-side.

• CORS hardened from wildcard allow_methods=["*"] and allow_headers=["*"] to explicit allow-lists of methods and headers
• CSRF cookie scoped with path="/" for correct cross-route coverage
• Enhanced /health endpoint returns a structured response with an API and storage connectivity probe, returning HTTP 503 when storage is unreachable
• Rate limiter instantiated globally via slowapi and registered with the application state

Detection Router

Rate limiting, CSRF enforcement, and structured logging applied to the detection API.

• Per-endpoint @limiter.limit() decorators on run_detection, get_detections, and clear_detections with environment-configurable thresholds (RATE_LIMIT_DETECT, RATE_LIMIT_DETECTIONS)
• CSRF dependency added to the clear_detections DELETE endpoint
• Migrated print(..., file=sys.stderr) calls to structured logger using %-style formatting
• Renamed request parameter to request_body to disambiguate from the rate limiter's Request dependency

Test Coverage

A new test_security_middleware.py provides 28+ test methods across 8 test classes covering every new security behavior at both TestClient integration and raw ASGI unit test levels.

• Security headers, content size limits, exception handlers, CSRF cookie scoping, CORS hardening, enhanced health check, detection security, and direct ASGI middleware tests
• test_health.py refactored to class-based tests with storage probe validation
• test_api_endpoints.py updated for the new structured health response

Supporting

• Added slowapi==0.1.9 dependency in pyproject.toml
• Documented new environment variables in .env.example
• Added "redoc" and "slowapi" to .cspell/general-technical.txt
• Enabled host: true in vite.config.ts for devcontainer port forwarding

Related Issues

Closes #118

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA ba54e4c.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

data-management/viewer/backend/uv.lock

Package	Version	License	Issue Type
limits	5.8.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/deprecated	1.3.1	Unknown	Unknown
pip/limits	5.8.0	Unknown	Unknown
pip/slowapi	0.1.9	Unknown	Unknown
pip/wrapt	2.1.2	Unknown	Unknown

Scanned Files

• data-management/viewer/backend/uv.lock

[codecov-commenter]

Codecov Report

❌ Patch coverage is 99.09910% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 65.18%. Comparing base (9f138a9) to head (ba54e4c).

Files with missing lines	Patch %	Lines
...gement/viewer/backend/src/api/routers/detection.py	93.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #439      +/-   ##
==========================================
+ Coverage   64.80%   65.18%   +0.38%     
==========================================
  Files         251      253       +2     
  Lines       15441    15541     +100     
  Branches     2108     2118      +10     
==========================================
+ Hits        10006    10130     +124     
+ Misses       5146     5122      -24     
  Partials      289      289              

Flag	Coverage Δ
pester	82.24% <ø> (ø)
pytest	92.40% <ø> (ø)
pytest-dataviewer	65.12% <99.09%> (+1.24%)	⬆️
pytest-fuzz	1.56% <0.00%> (-0.03%)	⬇️
vitest	51.77% <ø> (ø)

Files with missing lines	Coverage Δ
data-management/viewer/backend/src/api/main.py	100.00% <100.00%> (+3.77%)	⬆️
...ta-management/viewer/backend/src/api/middleware.py	100.00% <100.00%> (ø)
...-management/viewer/backend/src/api/rate_limiter.py	100.00% <100.00%> (ø)
...gement/viewer/backend/src/api/routers/detection.py	88.63% <93.33%> (+47.61%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nguyena2]

main.py (L90) and detection.py (L22) each instantiate their own Limiter(key_func=get_remote_address). These are independent objects with separate in-memory counter stores. If this is the intended behavior, then no changes needed. If not, then suggest creating a shared module and importing it into both.

[katriendg]

@nguyena2 pretty relevant catch here, thanks! I've updated into a shared module and updated the tests.