Issue #1328. Add security-related headers into @app.after_request.

Note: we don't set STS because localhost is not served over TLS. Fixes #1328.
webcompat · Feb 28, 2017 · fdcacec · fdcacec
1 parent b6e7456
commit fdcacec
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/webcompat/helpers.py b/webcompat/helpers.py
@@ -487,3 +487,15 @@ def policy(*args, **kwargs):
             return response
         return update_wrapper(policy, view)
     return set_policy
+
+
+def add_sec_headers(response):
+    '''Add security-related headers to the response.
+
+    This should be used in @app.after_request to ensure the headers are
+    added to all responses.'''
+    if not app.config['LOCALHOST']:
+        response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'  # nopep8
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-XSS-Protection'] = '1; mode=block'
+    response.headers['X-Frame-Options'] = 'DENY'
diff --git a/webcompat/views.py b/webcompat/views.py
@@ -21,6 +21,7 @@
 
 from form import AUTH_REPORT
 from form import PROXY_REPORT
+from helpers import add_sec_headers
 from helpers import cache_policy
 from helpers import get_browser_name
 from helpers import get_form
@@ -52,6 +53,7 @@ def before_request():
 @app.after_request
 def after_request(response):
     session_db.remove()
+    add_sec_headers(response)
     return response