From 78b8aed96bc04d74b933581abfb8866aef22c52f Mon Sep 17 00:00:00 2001 From: Adam Shimali Date: Thu, 7 Jan 2016 13:58:38 +0000 Subject: [PATCH] Add some useful owasp suggested headers --- .gitignore | 4 ++++ app/__init__.py | 10 ++++++++++ tests/app/main/views/test_headers.py | 8 ++++++++ 3 files changed, 22 insertions(+) create mode 100644 tests/app/main/views/test_headers.py diff --git a/.gitignore b/.gitignore index c84489e6a..c36f6156d 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,7 @@ node_modules bower_components app/templates/govuk_template.html npm-debug.log + +# private environment variables +environment-private.sh + diff --git a/app/__init__.py b/app/__init__.py index 498230fe3..7d9bfda30 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -46,6 +46,8 @@ def create_app(config_name): application.add_template_filter(placeholders) application.add_template_filter(replace_placeholders) + application.after_request(useful_headers_after_request) + return application @@ -106,3 +108,11 @@ def replace_placeholders(template, values): lambda match: values.get(match.group(1), ''), template )) + + +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +def useful_headers_after_request(response): + response.headers.add('X-Frame-Options', 'deny') + response.headers.add('X-Content-Type-Options', 'nosniff') + response.headers.add('X-XSS-Protection', '1; mode=block') + return response diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py new file mode 100644 index 000000000..c53ae0c47 --- /dev/null +++ b/tests/app/main/views/test_headers.py @@ -0,0 +1,8 @@ + +def test_owasp_useful_headers_set(notifications_admin): + with notifications_admin.test_request_context(): + response = notifications_admin.test_client().get('/') + assert response.status_code == 200 + assert response.headers['X-Frame-Options'] == 'deny' + assert response.headers['X-Content-Type-Options'] == 'nosniff' + assert response.headers['X-XSS-Protection'] == '1; mode=block'