fix(api-server): add browser security headers by lidge-jun · Pull Request #26814 · NousResearch/hermes-agent

lidge-jun · 2026-05-16T07:41:22Z

Summary

Add the missing defense-in-depth browser security headers to the OpenAI-compatible API server responses.
Keep the existing middleware behavior of using setdefault, so route handlers can still override a header intentionally.
Extend the existing /health regression test to lock the full security header set.

Closes #7487.

Verification

Real environment tested: macOS local workstation, Python 3.11.13 via existing Hermes worktree venv, Hermes built from source at this PR head.

Commands run after this patch:

scripts/run_tests.sh tests/gateway/test_api_server.py
.venv/bin/python -m ruff check gateway/platforms/api_server.py tests/gateway/test_api_server.py
git diff --check

Evidence after fix:

scripts/run_tests.sh tests/gateway/test_api_server.py
146 passed, 95 warnings in 2.67s

.venv/bin/python -m ruff check gateway/platforms/api_server.py tests/gateway/test_api_server.py
All checks passed!

git diff --check
(no output)

What was not tested: live HTTPS deployment behavior behind a reverse proxy; this patch covers the response header middleware directly through the aiohttp test server.

@EloquentBrush0x

…tors Adds release-note attribution mappings for 9 contributors from group 4: - @EloquentBrush0x (PR #26657) - @subtract0 (PR #25658) - @zwolniony (PR #26961) - @that-ambuj (PR #26582) - @zccyman (PR #25294) - @lidge-jun (PR #26814) - @phoenixshen (PR #26768) - @AhmetArif0 (PR #26635) - (francip already mapped from prior PR #26134 attribution) #27147 dropped from this batch — already landed on main as 4b17c24.

teknium1 · 2026-05-17T06:12:10Z

Merged via PR #27308 — your commit was cherry-picked onto current main as part of a batch salvage of low-risk new-contributor PRs. Authorship preserved (fix(api-server): add browser security headers). Thanks for the contribution.

@EloquentBrush0x

…tors Adds release-note attribution mappings for 9 contributors from group 4: - @EloquentBrush0x (PR NousResearch#26657) - @subtract0 (PR NousResearch#25658) - @zwolniony (PR NousResearch#26961) - @that-ambuj (PR NousResearch#26582) - @zccyman (PR NousResearch#25294) - @lidge-jun (PR NousResearch#26814) - @phoenixshen (PR NousResearch#26768) - @AhmetArif0 (PR NousResearch#26635) - (francip already mapped from prior PR NousResearch#26134 attribution) NousResearch#27147 dropped from this batch — already landed on main as 4b17c24.

alt-glitch added type/security Security vulnerability or hardening P3 Low — cosmetic, nice to have comp/gateway Gateway runner, session dispatch, delivery labels May 16, 2026

[agent] fix: harden api server response headers

394e3fb

lidge-jun force-pushed the codex/7487-api-security-headers branch from 09597bd to 394e3fb Compare May 17, 2026 03:33

teknium1 mentioned this pull request May 17, 2026

Batch salvage group 4: 9 low-risk new-contributor PRs (proxy-env/gateway-fixes/security-headers/custom-providers) #27308

Merged

teknium1 closed this May 17, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(api-server): add browser security headers#26814

fix(api-server): add browser security headers#26814
lidge-jun wants to merge 1 commit into
NousResearch:mainfrom
lidge-jun:codex/7487-api-security-headers

lidge-jun commented May 16, 2026

Uh oh!

teknium1 commented May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

lidge-jun commented May 16, 2026

Summary

Verification

Uh oh!

teknium1 commented May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants