Fix duplicate security headers

changelog.d/20241120_172837_roman.md

@@ -0,0 +1,4 @@
+### Fixed
+
+- Fixed security header duplication in HTTP responses from the backend
+  (<https://github.com/cvat-ai/cvat/pull/8726>)

cvat/nginx.conf

@@ -41,14 +41,27 @@ http {
   # CVAT Settings
   ##
 
+  # Only add security headers if the upstream server does not already provide them.
+  map $upstream_http_referrer_policy $hdr_referrer_policy {
+      '' "strict-origin-when-cross-origin";
+  }
+
+  map $upstream_http_x_content_type_options $hdr_x_content_type_options {
+      '' "nosniff";
+  }
+
+  map $upstream_http_x_frame_options $hdr_x_frame_options {
+      '' "deny";
+  }
+
   server {
     listen 8080;
     # previously used value
     client_max_body_size 1G;
 
-    add_header X-Frame-Options deny;
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy $hdr_referrer_policy always;
+    add_header X-Content-Type-Options $hdr_x_content_type_options always;
+    add_header X-Frame-Options $hdr_x_frame_options always;
 
     server_name _;
 

cvat/settings/base.py

@@ -574,6 +574,8 @@ class CVAT_QUEUES(Enum):
 # How django uses X-Forwarded-Proto - https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header
 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
+SECURE_REFERRER_POLICY = 'strict-origin-when-cross-origin'
+
 # Forwarded host - https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-USE_X_FORWARDED_HOST
 # Is used in TUS uploads to provide correct upload endpoint
 USE_X_FORWARDED_HOST = True