Merge pull request #15 from kclapper/headers

Security Headers Added and FLASK_ENV Added

Closes #11 and closes #14

Author: kclapper

badstats/__init__.py

@@ -13,6 +13,8 @@ def create_app(test_config=None):
     app.config.from_mapping(
         SECRET_KEY=os.environ["FLASK_SECRET"],
         DATABASE=database,
+        SESSION_COOKIE_SECURE=True,
+        SESSION_COOKIE_SAMESITE='Strict'
     )
 
     if test_config is None:
@@ -41,6 +43,22 @@ def create_app(test_config=None):
     app.register_blueprint(stats.bp)
     app.add_url_rule('/', endpoint='index')
 
+    @app.after_request
+    def setSecureHeaders(response):
+        headers = {
+            'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+            'Content-Security-Policy': "default-src 'self'; script-src 'self';\
+                img-src 'self' https://*.scdn.co data: ;",
+            'X-Content-Type-Options': 'nosniff',
+            'X-Frame-Options': 'SAMEORIGIN',
+
+
+        }
+
+        response.headers.update(headers)
+
+        return response
+
     return app
 
 def getHostname():

k8s-manifests/badstats.yml

@@ -52,6 +52,8 @@ spec:
                 secretKeyRef:
                   name: badstats
                   key: flask_secret
+            - name: FLASK_ENV
+              value: "production"
           volumeMounts:
             - mountPath: /usr/src/app/instance
               name: data