fix: SFI issue fix

[Ravikirana-Microsoft]

Purpose

This pull request introduces important security enhancements to the FastAPI frontend server. The changes focus on preventing unauthorized access to sensitive files, mitigating directory traversal attacks, and adding security headers to HTTP responses.

Security improvements for static file serving:

• Added path resolution and validation logic in the serve_app endpoint to prevent directory traversal and ensure only files within the build directory are served.
• Implemented checks to block access to dotfiles, forbidden file extensions (e.g., .env, .py, .key), and forbidden filenames (e.g., Dockerfile, .secrets). Suspicious requests now return a 404 error. [1] [2]

HTTP response hardening:

• Added middleware to inject basic security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) into all responses for improved browser security.
• Ensured security headers are also included in responses from the static file serving endpoint.

Dependency and import updates:

• Updated imports to include Path, HTTPException, and Request for new security logic.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• ...

Other Information

[github-actions]

🎉 This PR is included in version 1.5.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀