mirror of
https://github.com/GSA/notifications-api.git
synced 2026-07-12 17:34:48 -04:00
Merge pull request #1882 from GSA/1720-july-zap-scan-results
Made changes for zap scans
This commit is contained in:
@@ -301,15 +301,44 @@ def init_app(app):
|
||||
g.start = monotonic()
|
||||
g.endpoint = request.endpoint
|
||||
|
||||
@app.before_request
|
||||
def handle_options():
|
||||
if request.method == "OPTIONS":
|
||||
response = make_response("", 204)
|
||||
response.headers["Access-Control-Allow-Origin"] = "*"
|
||||
response.headers["Access-Control-Allow-Methods"] = (
|
||||
"GET, POST, PUT, DELETE, OPTIONS"
|
||||
)
|
||||
response.headers["Access-Control-Allow-Headers"] = (
|
||||
"Content-Type, Authorization"
|
||||
)
|
||||
response.headers["Access-Control-Max-Age"] = "3600"
|
||||
return response
|
||||
|
||||
@app.after_request
|
||||
def after_request(response):
|
||||
# Security headers for government compliance
|
||||
response.headers.add("X-Content-Type-Options", "nosniff")
|
||||
response.headers.add("X-Frame-Options", "DENY")
|
||||
response.headers.add("X-XSS-Protection", "1; mode=block")
|
||||
response.headers.add("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||
response.headers.add(
|
||||
"Permissions-Policy", "geolocation=(), microphone=(), camera=()"
|
||||
)
|
||||
|
||||
# Some dynamic scan findings
|
||||
# CORS-related security headers
|
||||
response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
|
||||
response.headers.add("Cross-Origin-Embedder-Policy", "require-corp")
|
||||
response.headers.add("Cross-Origin-Resource-Policy", "same-origin")
|
||||
response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
|
||||
|
||||
if not request.path.startswith("/docs"):
|
||||
response.headers.add(
|
||||
"Content-Security-Policy", "default-src 'none'; frame-ancestors 'none';"
|
||||
)
|
||||
|
||||
response.headers.add(
|
||||
"Strict-Transport-Security", "max-age=31536000; includeSubDomains"
|
||||
)
|
||||
|
||||
return response
|
||||
|
||||
|
||||
@@ -14,17 +14,20 @@ status = Blueprint("status", __name__)
|
||||
def show_status():
|
||||
try:
|
||||
if request.args.get("simple", None):
|
||||
return jsonify(status="ok"), 200
|
||||
response = jsonify(status="ok")
|
||||
else:
|
||||
return (
|
||||
jsonify(
|
||||
status="ok", # This should be considered part of the public API
|
||||
git_commit=version.__git_commit__,
|
||||
build_time=version.__time__,
|
||||
db_version=get_db_version(),
|
||||
),
|
||||
200,
|
||||
response = jsonify(
|
||||
status="ok", # This should be considered part of the public API
|
||||
git_commit=version.__git_commit__,
|
||||
build_time=version.__time__,
|
||||
db_version=get_db_version(),
|
||||
)
|
||||
|
||||
response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
|
||||
response.headers["Pragma"] = "no-cache"
|
||||
response.headers["Expires"] = "0"
|
||||
|
||||
return response, 200
|
||||
except Exception as e:
|
||||
current_app.logger.error(
|
||||
f"Unexpected error in show_status: {str(e)}", exc_info=True
|
||||
@@ -36,13 +39,16 @@ def show_status():
|
||||
@status.route("/_status/live-service-and-organization-counts")
|
||||
def live_service_and_organization_counts():
|
||||
try:
|
||||
return (
|
||||
jsonify(
|
||||
organizations=dao_count_organizations_with_live_services(),
|
||||
services=dao_count_live_services(),
|
||||
),
|
||||
200,
|
||||
response = jsonify(
|
||||
organizations=dao_count_organizations_with_live_services(),
|
||||
services=dao_count_live_services(),
|
||||
)
|
||||
|
||||
response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
|
||||
response.headers["Pragma"] = "no-cache"
|
||||
response.headers["Expires"] = "0"
|
||||
|
||||
return response, 200
|
||||
except Exception as e:
|
||||
current_app.logger.error(
|
||||
f"Unexpected error in live_service_and_organization_counts: {str(e)}",
|
||||
|
||||
Reference in New Issue
Block a user