Skip to content

Commit

Permalink
add security headers
Browse files Browse the repository at this point in the history
  • Loading branch information
@crazyguitar
crazyguitar committed Sep 12, 2018
1 parent c49cb9b commit 10380e4
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 1 deletion.
6 changes: 6 additions & 0 deletions app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

from flask import Flask, abort, send_from_directory
from flask_sslify import SSLify
from flask_seasurf import SeaSurf
from flask_talisman import Talisman

DIR = os.path.dirname(os.path.realpath(__file__))
ROOT = os.path.join(DIR, "docs", "_build", "html")
Expand All @@ -19,7 +21,11 @@ def find_key(token):
return os.environ.get("ACME_KEY_{}".format(n))


csp = {"default-src": ["*", "'unsafe-inline'", "'unsafe-eval'"]}
app = Flask(__name__)
app.config["SECRET_KEY"] = os.urandom(16)
csrf = SeaSurf(app)
talisman = Talisman(app, force_https=False, content_security_policy=csp)

if "DYNO" in os.environ:
sslify = SSLify(app, skips=[".well-known"])
Expand Down
13 changes: 13 additions & 0 deletions app_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,20 @@ def create_app(self):
app.config["LIVESERVER_PORT"] = 0
return app

def check_security_headers(self, resp):
"""Check security headers."""
headers = resp.headers
self.assertTrue("X-Content-Security-Policy" in headers)
self.assertTrue("X-XSS-Protection" in headers)
self.assertTrue("X-Content-Type-Options" in headers)
self.assertTrue("Content-Security-Policy" in headers)
self.assertEqual(headers["X-Frame-Options"], "SAMEORIGIN")

def test_index_redirection_req(self):
"""Test that send a request for the index page."""
url = self.get_server_url()
resp = requests.get(url)
self.check_security_headers(resp)
self.assertEqual(resp.status_code, 200)

def test_static_proxy_req(self):
Expand All @@ -47,17 +57,20 @@ def test_static_proxy_req(self):
for h in htmls:
u = url + "/notes/" + h
resp = requests.get(u)
self.check_security_headers(resp)
self.assertEqual(resp.status_code, 200)

def test_acme_req(self):
"""Test that send a request for a acme key."""
url = self.get_server_url()
u = url + "/.well-known/acme-challenge/token"
resp = requests.get(u)
self.check_security_headers(resp)
self.assertEqual(resp.status_code, 200)

u = url + "/.well-known/acme-challenge/foo"
resp = requests.get(u)
self.check_security_headers(resp)
self.assertEqual(resp.status_code, 404)

def test_find_key(self):
Expand Down
1 change: 0 additions & 1 deletion docs/conf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@
extensions = [
'sphinx.ext.todo',
'sphinx.ext.coverage',
'sphinx.ext.mathjax',
'sphinx.ext.viewcode',
]

Expand Down
2 changes: 2 additions & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ docutils==0.14
Flask==1.0.2
Flask-SSLify==0.1.5
Flask-Testing==0.7.1
Flask-SeaSurf==0.2.2
flask-talisman==0.5.1
gunicorn==19.9.0
pycodestyle==2.4.0
pydocstyle==2.1.1
Expand Down

0 comments on commit 10380e4

Please sign in to comment.