summaryrefslogtreecommitdiff
path: root/service
diff options
context:
space:
mode:
Diffstat (limited to 'service')
-rw-r--r--service/pixelated/config/site.py17
-rw-r--r--service/test/unit/config/test_site.py11
2 files changed, 17 insertions, 11 deletions
diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py
index 8806366a..7163b52b 100644
--- a/service/pixelated/config/site.py
+++ b/service/pixelated/config/site.py
@@ -1,13 +1,16 @@
from twisted.web.server import Site, Request
-class AddCSPHeaderRequest(Request):
- HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'"
+class AddSecurityHeadersRequest(Request):
+ CSP_HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'"
def process(self):
- self.setHeader("Content-Security-Policy", self.HEADER_VALUES)
- self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES)
- self.setHeader("X-Webkit-CSP", self.HEADER_VALUES)
+ self.setHeader('Content-Security-Policy', self.CSP_HEADER_VALUES)
+ self.setHeader('X-Content-Security-Policy', self.CSP_HEADER_VALUES)
+ self.setHeader('X-Webkit-CSP', self.CSP_HEADER_VALUES)
+ self.setHeader('X-Frame-Options', 'SAMEORIGIN')
+ self.setHeader('X-XSS-Protection', '1; mode=block')
+ self.setHeader('X-Content-Type-Options', 'nosniff')
if self.isSecure():
self.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
@@ -17,11 +20,11 @@ class AddCSPHeaderRequest(Request):
class PixelatedSite(Site):
- requestFactory = AddCSPHeaderRequest
+ requestFactory = AddSecurityHeadersRequest
@classmethod
def enable_csp_requests(cls):
- cls.requestFactory = AddCSPHeaderRequest
+ cls.requestFactory = AddSecurityHeadersRequest
@classmethod
def disable_csp_requests(cls):
diff --git a/service/test/unit/config/test_site.py b/service/test/unit/config/test_site.py
index 83464e89..7c381449 100644
--- a/service/test/unit/config/test_site.py
+++ b/service/test/unit/config/test_site.py
@@ -5,15 +5,18 @@ from twisted.protocols.basic import LineReceiver
class TestPixelatedSite(unittest.TestCase):
- def test_add_csp_header_request(self):
+ def test_add_security_headers(self):
request = self.create_request()
request.process()
headers = request.headers
header_value = "default-src 'self'; style-src 'self' 'unsafe-inline'"
- self.assertEqual(headers.get("Content-Security-Policy"), header_value)
- self.assertEqual(headers.get("X-Content-Security-Policy"), header_value)
- self.assertEqual(headers.get("X-Webkit-CSP"), header_value)
+ self.assertEqual(headers.get('Content-Security-Policy'), header_value)
+ self.assertEqual(headers.get('X-Content-Security-Policy'), header_value)
+ self.assertEqual(headers.get('X-Webkit-CSP'), header_value)
+ self.assertEqual(headers.get('X-Frame-Options'), 'SAMEORIGIN')
+ self.assertEqual(headers.get('X-XSS-Protection'), '1; mode=block')
+ self.assertEqual(headers.get('X-Content-Type-Options'), 'nosniff')
def test_add_strict_transport_security_header_if_secure(self):
request = self.create_request()