Upgraded security headers to CSP to allow custom domain framing
Browse files- webpass/__init__.py +9 -1
webpass/__init__.py
CHANGED
|
@@ -105,11 +105,19 @@ def create_app():
|
|
| 105 |
if not session.get('bio_verified'):
|
| 106 |
return redirect(url_for('bio.lock_screen'))
|
| 107 |
|
|
|
|
| 108 |
# 5. SECURITY HEADERS
|
| 109 |
@app.after_request
|
| 110 |
def add_security_headers(response):
|
| 111 |
response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
|
| 112 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 113 |
return response
|
| 114 |
|
| 115 |
from webpass.models import BiometricDevice
|
|
|
|
| 105 |
if not session.get('bio_verified'):
|
| 106 |
return redirect(url_for('bio.lock_screen'))
|
| 107 |
|
| 108 |
+
# 5. SECURITY HEADERS
|
| 109 |
# 5. SECURITY HEADERS
|
| 110 |
@app.after_request
|
| 111 |
def add_security_headers(response):
|
| 112 |
response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
|
| 113 |
+
|
| 114 |
+
# The modern, precise way to whitelist specific domains for iframing
|
| 115 |
+
# 'self' allows your own app, the URLs allow your specific domains
|
| 116 |
+
response.headers['Content-Security-Policy'] = "frame-ancestors 'self' https://webpass.augsec.in https://huggingface.co;"
|
| 117 |
+
|
| 118 |
+
# Note: We remove X-Frame-Options because CSP frame-ancestors replaces it
|
| 119 |
+
# and is fully supported by all modern browsers.
|
| 120 |
+
|
| 121 |
return response
|
| 122 |
|
| 123 |
from webpass.models import BiometricDevice
|