diff options
author | Ratan Gupta <ratagupt@in.ibm.com> | 2018-01-14 12:52:23 +0530 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-01-23 12:18:43 -0500 |
commit | 91b46f89fdbfffd45010db29126bd4da495e69ed (patch) | |
tree | d9764d4474a72aa33be18bbbc3cfc6fef192c7ed /module | |
parent | b7fca9bc169be788bb6a55819e2dab923a6e03d4 (diff) | |
download | phosphor-rest-server-91b46f89fdbfffd45010db29126bd4da495e69ed.tar.gz phosphor-rest-server-91b46f89fdbfffd45010db29126bd4da495e69ed.zip |
Security: Cross Site Scripting
This commit fixes the Cross Site scripting attack
by adding security headers in response packet.
Partially Resolves openbmc/openbmc#2423
Change-Id: Ie0ea05408af3d841a54f528863ed1bf65a8c3ed7
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Diffstat (limited to 'module')
-rw-r--r-- | module/obmc/wsgi/apps/rest_dbus.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py index f172cdc..cda23df 100644 --- a/module/obmc/wsgi/apps/rest_dbus.py +++ b/module/obmc/wsgi/apps/rest_dbus.py @@ -966,6 +966,14 @@ class CorsPlugin(object): response.add_header('Access-Control-Allow-Methods', method) response.add_header( 'Access-Control-Allow-Headers', 'Content-Type') + response.add_header('X-Frame-Options', 'deny') + response.add_header('X-Content-Type-Options', 'nosniff') + response.add_header('X-XSS-Protection', '1; mode=block') + response.add_header( + 'Content-Security-Policy', "default-src 'self'") + response.add_header( + 'Strict-Transport-Security', + 'max-age=31536000; includeSubDomains; preload') def __init__(self, app): app.install_error_callback(self.error_callback) |