Issue #1328. Add security-related headers into @app.after_request.

Note: we don't set STS because localhost is not served over TLS. Fixes #1328.
webcompat · Feb 27, 2017 · 4af9549 · 4af9549
1 parent ffd75dc
commit 4af9549
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/webcompat/views.py b/webcompat/views.py
@@ -51,6 +51,12 @@ def before_request():
 @app.after_request
 def after_request(response):
     session_db.remove()
+    # Security headers
+    if not app.config['LOCALHOST']:
+        response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'  # nopep8
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-XSS-Protection'] = '1; mode=block'
+    response.headers['X-Frame-Options'] = 'DENY'
     return response