nakidai
/
whoogle-search
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve default response headers 

Reponse headers now include the following:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security: max-age=63072000
  - Only when HTTPS_ONLY is set

https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
https://infosec.mozilla.org/guidelines/web_security#x-frame-options
main
Ben Busby 2021-11-26 08:38:26 -07:00
parent 30d4337783
commit 9c96f0fd57
No known key found for this signature in database
GPG Key ID: 339B7B7EB5333D14
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/routes.py
View File

@ -145,9 +145,12 @@ def before_request_func():
@app.after_request @app.after_request
def after_request_func(resp): def after_request_func(resp):
resp.headers['X-Content-Type-Options'] = 'nosniff'
resp.headers['X-Frame-Options'] = 'DENY'
resp.headers['Content-Security-Policy'] = app.config['CSP'] resp.headers['Content-Security-Policy'] = app.config['CSP']
if os.environ.get('HTTPS_ONLY', False): if os.environ.get('HTTPS_ONLY', False):
resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
resp.headers['Strict-Transport-Security'] = 'max-age=63072000'
return resp return resp