[security] allowing to set static headers as configuration (#1126)

* [security] setting X-Frame-Options=SAMEORIGIN to prevent clickjacking * Changing to a more flexible approach
apache · Sep 21, 2016 · b587576 · b587576
1 parent f1e80a8
commit b587576
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/caravel/config.py b/caravel/config.py
@@ -220,6 +220,12 @@ class CeleryConfig(object):
 SQL_CELERY_DB_FILE_PATH = os.path.join(DATA_DIR, 'celerydb.sqlite')
 SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR, 'celery_results.sqlite')
 
+# static http headers to be served by your Caravel server.
+# The following example prevents iFrame from other domains
+# and "clickjacking" as a result
+# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+HTTP_HEADERS = {}
+
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None
 

diff --git a/caravel/views.py b/caravel/views.py
@@ -1796,6 +1796,14 @@ class CssTemplateModelView(CaravelModelView, DeleteMixin):
     icon="fa-flask")
 
 
+@app.after_request
+def apply_caching(response):
+    """Applies the configuration's http headers to all responses"""
+    for k, v in config.get('HTTP_HEADERS').items():
+        response.headers[k] = v
+    return response
+
+
 # ---------------------------------------------------------------------
 # Redirecting URL from previous names
 class RegexConverter(BaseConverter):