From 7557136d5dd9c2a5af0d824f057db2dfef8a8cde Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 13 Oct 2016 11:08:05 -0400 Subject: [PATCH] Add a number of security headers There are a number of headers security scanners expect. Explicitly declare how strict browser should be with responses. --- confluent_server/confluent/httpapi.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index ca114ee5..4551eb0f 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -369,7 +369,12 @@ def resourcehandler_backend(env, start_response): """Function to handle new wsgi requests """ mimetype, extension = _pick_mimetype(env) - headers = [('Content-Type', mimetype), ('Cache-Control', 'no-cache')] + headers = [('Content-Type', mimetype), ('Cache-Control', 'no-cache'), + ('X-Content-Type-Options', 'nosniff'), + ('Content-Security-Policy', "default-src 'self'"), + ('X-XSS-Protection', '1'), ('X-Frame-Options', 'deny'), + ('Strict-Transport-Security', 'max-age=86400'), + ('X-Permitted-Cross-Domain-Policies', 'none')] reqbody = None reqtype = None if 'CONTENT_LENGTH' in env and int(env['CONTENT_LENGTH']) > 0: