diff --git a/atst/app.py b/atst/app.py
index 88002c4f..84348e68 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -71,6 +71,7 @@ def make_app(config):
app.form_cache = FormCache(app.redis)
apply_authentication(app)
+ set_default_headers(app)
return app
@@ -91,6 +92,28 @@ def make_flask_callbacks(app):
return response
+def set_default_headers(app): # pragma: no cover
+ @app.after_request
+ def _set_security_headers(response):
+ response.headers[
+ "Strict-Transport-Security"
+ ] = "max-age=31536000; includeSubDomains"
+ response.headers["X-Content-Type-Options"] = "nosniff"
+ response.headers["X-Frame-Options"] = "SAMEORIGIN"
+ response.headers["X-XSS-Protection"] = "1; mode=block"
+
+ if ENV == "dev":
+ response.headers[
+ "Content-Security-Policy"
+ ] = "default-src 'self' 'unsafe-eval'; connect-src *"
+ else:
+ response.headers[
+ "Content-Security-Policy"
+ ] = "default-src 'self' 'unsafe-eval'"
+
+ return response
+
+
def map_config(config):
return {
**config["default"],
diff --git a/templates/components/alert.html b/templates/components/alert.html
index d170e2bb..b510457e 100644
--- a/templates/components/alert.html
+++ b/templates/components/alert.html
@@ -54,7 +54,7 @@
{% elif actions is iterable %}
{% for action in actions %}
-
+
{% if 'icon' in action %}{{ Icon(action["icon"]) }}{% endif %}
{{ action["label"] }}