From 5da374bbc94df0c7ef4e8829d1b6824cf8917dcf Mon Sep 17 00:00:00 2001
From: George Drummond <george-ctr@friends.dds.mil>
Date: Wed, 12 Dec 2018 13:36:29 -0500
Subject: [PATCH] Suggestions from http://flask.pocoo.org/docs/1.0/security/

---
 atst/app.py                     | 15 +++++++++++++++
 templates/components/alert.html |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/atst/app.py b/atst/app.py
index 88002c4f..7cc3574d 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -71,6 +71,7 @@ def make_app(config):
     app.form_cache = FormCache(app.redis)
 
     apply_authentication(app)
+    set_default_headers(app)
 
     return app
 
@@ -91,6 +92,20 @@ def make_flask_callbacks(app):
         return response
 
 
+def set_default_headers(app):
+    @app.after_request
+    def _set_security_headers(response):
+        response.headers[
+            "Strict-Transport-Security"
+        ] = "max-age=31536000; includeSubDomains"
+        response.headers["Content-Security-Policy"] = "default-src 'self'"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+
+        return response
+
+
 def map_config(config):
     return {
         **config["default"],
diff --git a/templates/components/alert.html b/templates/components/alert.html
index d170e2bb..b510457e 100644
--- a/templates/components/alert.html
+++ b/templates/components/alert.html
@@ -54,7 +54,7 @@
           {% elif actions is iterable %}
 
             {% for action in actions %}
-              <a href={{ action["href"] }} class='icon-link'>
+              <a href='{{ action["href"] }}' class='icon-link'>
                 {% if 'icon' in action %}{{ Icon(action["icon"]) }}{% endif %}
                 <span>{{ action["label"] }}</span>
               </a>