Return 404 on user-initiated requests to /history API

[abhahn]

trafficstars

Motivation and Context

To avoid any potential SQL injection attack on the chat history database, we can hide the /history API to prevent direct user interaction, which is not necessary or desirable to expose on the app anyway.

Description

• Added a utility function to determine if a call was user originated based on the value of the Sec-Fetch-Site header (documented here)
• Updated app.py to reject user-originated calls to all /history API endpoints. Internal calls from the frontend are still permitted.

Contribution Checklist

• [ ] I have built and tested the code locally and in a deployed app
• [ ] For frontend changes, I have pulled the latest code from main, built the frontend, and committed all static files.
• [ ] This is a change for all users of this app. No code or asset is specific to my use case or my organization.
• [ ] I didn't break any existing functionality :smile: