Skip to content

Commit

Permalink
bug 887790: Balrog Admin UI missing security headers. r=mgerva
Browse files Browse the repository at this point in the history
  • Loading branch information
@bhearsum
bhearsum committed Mar 5, 2014
1 parent 8a09f1a commit 71b9f6e
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
7 changes: 7 additions & 0 deletions auslib/admin/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ def isa(error):
log.debug("Request headers are: %s", request.headers)
return error

# bug 887790: add necessary security headers
@app.after_request
def add_security_headers(response):
response.headers['X-Frame-Options'] = 'DENY'
response.headers['X-Content-Type-Options'] = 'nosniff'
return response

app.add_url_rule('/csrf_token', view_func=CSRFView.as_view('csrf'))
app.add_url_rule('/users', view_func=UsersView.as_view('users'))
app.add_url_rule('/users/<username>/permissions', view_func=PermissionsView.as_view('permissions'))
Expand Down
4 changes: 4 additions & 0 deletions auslib/test/admin/views/test_index.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@


class TestIndexPage(ViewTest):
def testSecurityHeaders(self):
ret = self.client.get('/')
self.assertEquals(ret.headers['X-Frame-Options'], 'DENY')
self.assertEquals(ret.headers['X-Content-Type-Options'], 'nosniff')

def testLandingPage(self):
ret = self.client.get('/')
Expand Down

0 comments on commit 71b9f6e

Please sign in to comment.