From 91b46f89fdbfffd45010db29126bd4da495e69ed Mon Sep 17 00:00:00 2001
From: Ratan Gupta <ratagupt@in.ibm.com>
Date: Sun, 14 Jan 2018 12:52:23 +0530
Subject: Security: Cross Site Scripting

This commit fixes the Cross Site scripting attack
by adding security headers in response packet.

Partially Resolves openbmc/openbmc#2423

Change-Id: Ie0ea05408af3d841a54f528863ed1bf65a8c3ed7
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
---
 module/obmc/wsgi/apps/rest_dbus.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'module/obmc/wsgi')

diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f172cdc..cda23df 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py
@@ -966,6 +966,14 @@ class CorsPlugin(object):
             response.add_header('Access-Control-Allow-Methods', method)
             response.add_header(
                 'Access-Control-Allow-Headers', 'Content-Type')
+            response.add_header('X-Frame-Options', 'deny')
+            response.add_header('X-Content-Type-Options', 'nosniff')
+            response.add_header('X-XSS-Protection', '1; mode=block')
+            response.add_header(
+                'Content-Security-Policy', "default-src 'self'")
+            response.add_header(
+                'Strict-Transport-Security',
+                'max-age=31536000; includeSubDomains; preload')
 
     def __init__(self, app):
         app.install_error_callback(self.error_callback)
-- 
cgit v1.2.1