Merge pull request #491 from dod-ccpo/default-headers

Suggestions from http://flask.pocoo.org/docs/1.0/security/

atst/app.py

@@ -71,6 +71,7 @@ def make_app(config):
     app.form_cache = FormCache(app.redis)
 
     apply_authentication(app)
+    set_default_headers(app)
 
     return app
 
@@ -91,6 +92,28 @@ def make_flask_callbacks(app):
         return response
 
 
+def set_default_headers(app):  # pragma: no cover
+    @app.after_request
+    def _set_security_headers(response):
+        response.headers[
+            "Strict-Transport-Security"
+        ] = "max-age=31536000; includeSubDomains"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+
+        if ENV == "dev":
+            response.headers[
+                "Content-Security-Policy"
+            ] = "default-src 'self' 'unsafe-eval'; connect-src *"
+        else:
+            response.headers[
+                "Content-Security-Policy"
+            ] = "default-src 'self' 'unsafe-eval'"
+
+        return response
+
+
 def map_config(config):
     return {
         **config["default"],

templates/components/alert.html

@@ -54,7 +54,7 @@
           {% elif actions is iterable %}
 
             {% for action in actions %}
-              <a href={{ action["href"] }} class='icon-link'>
+              <a href='{{ action["href"] }}' class='icon-link'>
                 {% if 'icon' in action %}{{ Icon(action["icon"]) }}{% endif %}
                 <span>{{ action["label"] }}</span>
               </a>