Suggestions from http://flask.pocoo.org/docs/1.0/security/

2018-12-12 13:36:29 -05:00 · 2018-12-12 13:36:29 -05:00 · 5da374bbc9
commit 5da374bbc9
parent 809ab9547a
2 changed files with 16 additions and 1 deletions
--- a/atst/app.py
+++ b/atst/app.py
@ -71,6 +71,7 @@ def make_app(config):
    app.form_cache = FormCache(app.redis)

    apply_authentication(app)
+    set_default_headers(app)

    return app

@ -91,6 +92,20 @@ def make_flask_callbacks(app):
        return response


+def set_default_headers(app):
+    @app.after_request
+    def _set_security_headers(response):
+        response.headers[
+            "Strict-Transport-Security"
+        ] = "max-age=31536000; includeSubDomains"
+        response.headers["Content-Security-Policy"] = "default-src 'self'"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+
+        return response
+
+
 def map_config(config):
    return {
        **config["default"],
--- a/templates/components/alert.html
+++ b/templates/components/alert.html
@ -54,7 +54,7 @@
          {% elif actions is iterable %}

            {% for action in actions %}
-              <a href={{ action["href"] }} class='icon-link'>
+              <a href='{{ action["href"] }}' class='icon-link'>
                {% if 'icon' in action %}{{ Icon(action["icon"]) }}{% endif %}
                <span>{{ action["label"] }}</span>
              </a>