summaryrefslogtreecommitdiffstats
path: root/module/obmc/wsgi
diff options
context:
space:
mode:
authorRatan Gupta <ratagupt@in.ibm.com>2018-01-14 12:52:23 +0530
committerBrad Bishop <bradleyb@fuzziesquirrel.com>2018-01-23 12:18:43 -0500
commit91b46f89fdbfffd45010db29126bd4da495e69ed (patch)
treed9764d4474a72aa33be18bbbc3cfc6fef192c7ed /module/obmc/wsgi
parentb7fca9bc169be788bb6a55819e2dab923a6e03d4 (diff)
downloadphosphor-rest-server-91b46f89fdbfffd45010db29126bd4da495e69ed.tar.gz
phosphor-rest-server-91b46f89fdbfffd45010db29126bd4da495e69ed.zip
Security: Cross Site Scripting
This commit fixes the Cross Site scripting attack by adding security headers in response packet. Partially Resolves openbmc/openbmc#2423 Change-Id: Ie0ea05408af3d841a54f528863ed1bf65a8c3ed7 Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Diffstat (limited to 'module/obmc/wsgi')
-rw-r--r--module/obmc/wsgi/apps/rest_dbus.py8
1 files changed, 8 insertions, 0 deletions
diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f172cdc..cda23df 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py
@@ -966,6 +966,14 @@ class CorsPlugin(object):
response.add_header('Access-Control-Allow-Methods', method)
response.add_header(
'Access-Control-Allow-Headers', 'Content-Type')
+ response.add_header('X-Frame-Options', 'deny')
+ response.add_header('X-Content-Type-Options', 'nosniff')
+ response.add_header('X-XSS-Protection', '1; mode=block')
+ response.add_header(
+ 'Content-Security-Policy', "default-src 'self'")
+ response.add_header(
+ 'Strict-Transport-Security',
+ 'max-age=31536000; includeSubDomains; preload')
def __init__(self, app):
app.install_error_callback(self.error_callback)
OpenPOWER on IntegriCloud