Add some useful owasp suggested headers

2026-02-05 10:53:28 -05:00 · 2016-01-07 13:58:38 +00:00
parent 30a5b771e2
commit 78b8aed96b
3 changed files with 22 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -67,3 +67,7 @@ node_modules
 bower_components
 app/templates/govuk_template.html
 npm-debug.log
+
+# private environment variables
+environment-private.sh
+
--- a/app/init.py
+++ b/app/init.py
@@ -46,6 +46,8 @@ def create_app(config_name):
    application.add_template_filter(placeholders)
    application.add_template_filter(replace_placeholders)

+    application.after_request(useful_headers_after_request)
+
    return application


@@ -106,3 +108,11 @@ def replace_placeholders(template, values):
        lambda match: values.get(match.group(1), ''),
        template
    ))
+
+
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+def useful_headers_after_request(response):
+    response.headers.add('X-Frame-Options', 'deny')
+    response.headers.add('X-Content-Type-Options', 'nosniff')
+    response.headers.add('X-XSS-Protection', '1; mode=block')
+    return response
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -0,0 +1,8 @@
+
+def test_owasp_useful_headers_set(notifications_admin):
+    with notifications_admin.test_request_context():
+        response = notifications_admin.test_client().get('/')
+    assert response.status_code == 200
+    assert response.headers['X-Frame-Options'] == 'deny'
+    assert response.headers['X-Content-Type-Options'] == 'nosniff'
+    assert response.headers['X-XSS-Protection'] == '1; mode=block'