From 9c96f0fd579a9e721469392aaa78b626ddd013d0 Mon Sep 17 00:00:00 2001
From: Ben Busby <noreply+git@benbusby.com>
Date: Fri, 26 Nov 2021 08:38:26 -0700
Subject: [PATCH] Improve default response headers

Reponse headers now include the following:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security: max-age=63072000
  - Only when HTTPS_ONLY is set

https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
https://infosec.mozilla.org/guidelines/web_security#x-frame-options
---
 app/routes.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/routes.py b/app/routes.py
index 1790c0d..9f66d74 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -145,9 +145,12 @@ def before_request_func():
 
 @app.after_request
 def after_request_func(resp):
+    resp.headers['X-Content-Type-Options'] = 'nosniff'
+    resp.headers['X-Frame-Options'] = 'DENY'
     resp.headers['Content-Security-Policy'] = app.config['CSP']
     if os.environ.get('HTTPS_ONLY', False):
         resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
+        resp.headers['Strict-Transport-Security'] = 'max-age=63072000'
 
     return resp