Merge pull request #1882 from GSA/1720-july-zap-scan-results

Made changes for zap scans
This commit is contained in:
Alex Janousek
2025-07-31 16:19:09 -04:00
committed by GitHub
4 changed files with 83 additions and 20 deletions

View File

@@ -301,15 +301,44 @@ def init_app(app):
g.start = monotonic()
g.endpoint = request.endpoint
@app.before_request
def handle_options():
if request.method == "OPTIONS":
response = make_response("", 204)
response.headers["Access-Control-Allow-Origin"] = "*"
response.headers["Access-Control-Allow-Methods"] = (
"GET, POST, PUT, DELETE, OPTIONS"
)
response.headers["Access-Control-Allow-Headers"] = (
"Content-Type, Authorization"
)
response.headers["Access-Control-Max-Age"] = "3600"
return response
@app.after_request
def after_request(response):
# Security headers for government compliance
response.headers.add("X-Content-Type-Options", "nosniff")
response.headers.add("X-Frame-Options", "DENY")
response.headers.add("X-XSS-Protection", "1; mode=block")
response.headers.add("Referrer-Policy", "strict-origin-when-cross-origin")
response.headers.add(
"Permissions-Policy", "geolocation=(), microphone=(), camera=()"
)
# Some dynamic scan findings
# CORS-related security headers
response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
response.headers.add("Cross-Origin-Embedder-Policy", "require-corp")
response.headers.add("Cross-Origin-Resource-Policy", "same-origin")
response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
if not request.path.startswith("/docs"):
response.headers.add(
"Content-Security-Policy", "default-src 'none'; frame-ancestors 'none';"
)
response.headers.add(
"Strict-Transport-Security", "max-age=31536000; includeSubDomains"
)
return response

View File

@@ -14,17 +14,20 @@ status = Blueprint("status", __name__)
def show_status():
try:
if request.args.get("simple", None):
return jsonify(status="ok"), 200
response = jsonify(status="ok")
else:
return (
jsonify(
status="ok", # This should be considered part of the public API
git_commit=version.__git_commit__,
build_time=version.__time__,
db_version=get_db_version(),
),
200,
response = jsonify(
status="ok", # This should be considered part of the public API
git_commit=version.__git_commit__,
build_time=version.__time__,
db_version=get_db_version(),
)
response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "0"
return response, 200
except Exception as e:
current_app.logger.error(
f"Unexpected error in show_status: {str(e)}", exc_info=True
@@ -36,13 +39,16 @@ def show_status():
@status.route("/_status/live-service-and-organization-counts")
def live_service_and_organization_counts():
try:
return (
jsonify(
organizations=dao_count_organizations_with_live_services(),
services=dao_count_live_services(),
),
200,
response = jsonify(
organizations=dao_count_organizations_with_live_services(),
services=dao_count_live_services(),
)
response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "0"
return response, 200
except Exception as e:
current_app.logger.error(
f"Unexpected error in live_service_and_organization_counts: {str(e)}",