diff options
author | Folker Bernitt <folker-bernitt-github@gmx.de> | 2016-02-22 11:16:18 +0100 |
---|---|---|
committer | Folker Bernitt <folker-bernitt-github@gmx.de> | 2016-02-22 11:16:18 +0100 |
commit | 6239fa6a410bbb96d2121eea4f3559edca4fea66 (patch) | |
tree | 9aa49cd6b38c3531d3ca332487a96fd6cf422be7 | |
parent | 26d1331c7fbd1ae282eefb24950e489eb44d1c0f (diff) | |
parent | b97115679929dfe4f69618f756850617f265048f (diff) |
Merge pull request #621 from phss/add-security-headers
Add recommended security headers
-rw-r--r-- | service/pixelated/config/site.py | 17 | ||||
-rw-r--r-- | service/test/unit/config/test_site.py | 11 |
2 files changed, 17 insertions, 11 deletions
diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py index 8806366a..7163b52b 100644 --- a/service/pixelated/config/site.py +++ b/service/pixelated/config/site.py @@ -1,13 +1,16 @@ from twisted.web.server import Site, Request -class AddCSPHeaderRequest(Request): - HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'" +class AddSecurityHeadersRequest(Request): + CSP_HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'" def process(self): - self.setHeader("Content-Security-Policy", self.HEADER_VALUES) - self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES) - self.setHeader("X-Webkit-CSP", self.HEADER_VALUES) + self.setHeader('Content-Security-Policy', self.CSP_HEADER_VALUES) + self.setHeader('X-Content-Security-Policy', self.CSP_HEADER_VALUES) + self.setHeader('X-Webkit-CSP', self.CSP_HEADER_VALUES) + self.setHeader('X-Frame-Options', 'SAMEORIGIN') + self.setHeader('X-XSS-Protection', '1; mode=block') + self.setHeader('X-Content-Type-Options', 'nosniff') if self.isSecure(): self.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains') @@ -17,11 +20,11 @@ class AddCSPHeaderRequest(Request): class PixelatedSite(Site): - requestFactory = AddCSPHeaderRequest + requestFactory = AddSecurityHeadersRequest @classmethod def enable_csp_requests(cls): - cls.requestFactory = AddCSPHeaderRequest + cls.requestFactory = AddSecurityHeadersRequest @classmethod def disable_csp_requests(cls): diff --git a/service/test/unit/config/test_site.py b/service/test/unit/config/test_site.py index 83464e89..7c381449 100644 --- a/service/test/unit/config/test_site.py +++ b/service/test/unit/config/test_site.py @@ -5,15 +5,18 @@ from twisted.protocols.basic import LineReceiver class TestPixelatedSite(unittest.TestCase): - def test_add_csp_header_request(self): + def test_add_security_headers(self): request = self.create_request() request.process() headers = request.headers header_value = "default-src 'self'; style-src 'self' 'unsafe-inline'" - self.assertEqual(headers.get("Content-Security-Policy"), header_value) - self.assertEqual(headers.get("X-Content-Security-Policy"), header_value) - self.assertEqual(headers.get("X-Webkit-CSP"), header_value) + self.assertEqual(headers.get('Content-Security-Policy'), header_value) + self.assertEqual(headers.get('X-Content-Security-Policy'), header_value) + self.assertEqual(headers.get('X-Webkit-CSP'), header_value) + self.assertEqual(headers.get('X-Frame-Options'), 'SAMEORIGIN') + self.assertEqual(headers.get('X-XSS-Protection'), '1; mode=block') + self.assertEqual(headers.get('X-Content-Type-Options'), 'nosniff') def test_add_strict_transport_security_header_if_secure(self): request = self.create_request() |