def test_headers(self):
secure_headers = secure.Secure().headers()
self.assertEqual(
secure_headers["Strict-Transport-Security"],
"max-age=63072000; includeSubdomains",
)
self.assertEqual(
secure_headers["X-Frame-Options"],
"SAMEORIGIN",
)
self.assertEqual(
secure_headers["X-XSS-Protection"],
"0",
)
self.assertEqual(
secure_headers["X-Content-Type-Options"],
"nosniff",
)
self.assertEqual(
secure_headers["Referrer-Policy"],
"no-referrer, strict-origin-when-cross-origin",
)
self.assertEqual(
secure_headers["Cache-Control"],
"no-store",
)
def __init__(self, web_config, config):
"""Initialize web server
Args:
web_config: config settings for web interface (interface, port, root path)
config: SpiderFoot config
Raises:
TypeError: arg type is invalid
ValueError: arg value is invalid
"""
if not isinstance(config, dict):
raise TypeError(f"config is {type(config)}; expected dict()")
if not config:
raise ValueError("config is empty")
if not isinstance(web_config, dict):
raise TypeError(f"web_config is {type(web_config)}; expected dict()")
if not config:
raise ValueError("web_config is empty")
self.docroot = web_config.get('root', '/').rstrip('/')
# 'config' supplied will be the defaults, let's supplement them
# now with any configuration which may have previously been saved.
self.defaultConfig = deepcopy(config)
dbh = SpiderFootDb(self.defaultConfig)
sf = SpiderFoot(self.defaultConfig)
self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)
cherrypy.config.update({
'error_page.401': self.error_page_401,
'error_page.404': self.error_page_404,
'request.error_response': self.error_page
})
csp = (
secure.ContentSecurityPolicy()
.default_src("'self'")
.script_src("'self'", "'unsafe-inline'", "blob:")
.style_src("'self'", "'unsafe-inline'")
.base_uri("'self'")
.connect_src("'self'", "data:")
.frame_src("'self'", 'data:')
.img_src("'self'", "data:")
)
secure_headers = secure.Secure(
server=secure.Server().set("server"),
cache=secure.CacheControl().must_revalidate(),
csp=csp,
referrer=secure.ReferrerPolicy().no_referrer(),
)
cherrypy.config.update({
"tools.response_headers.on": True,
"tools.response_headers.headers": secure_headers.framework.cherrypy()
})
def test_header(self):
permissions = (secure.PermissionsPolicy().geolocation(
"self", '"spam.com"').fullscreen())
secure_headers = secure.Secure(permissions=permissions).headers()
self.assertEqual(
secure_headers["Permissions-Policy"],
'geolocation=(self "spam.com"), fullscreen=()',
)
def test_header(self):
hsts = (secure.StrictTransportSecurity().include_subdomains().preload(
).max_age(2592000))
secure_headers = secure.Secure(hsts=hsts).headers()
self.assertEqual(
secure_headers["Strict-Transport-Security"],
"includeSubDomains; preload; max-age=2592000",
)
def test_header(self):
csp = (secure.ContentSecurityPolicy().default_src("'none'").base_uri(
"'self'").connect_src("'self'",
"api.spam.com").frame_src("'none'").img_src(
"'self'", "static.spam.com"))
secure_headers = secure.Secure(csp=csp).headers()
self.assertEqual(
secure_headers["Content-Security-Policy"],
"default-src 'none'; base-uri 'self'; "
"connect-src 'self' api.spam.com; frame-src 'none'; img-src 'self' "
"static.spam.com",
)
def setup(app):
"""Set secure headers values.
Parameters
----------
app : aiohttp.web.Application
The aiohttp application instance.
"""
server = secure.Server().set("Secure")
csp_value = (secure.ContentSecurityPolicy().default_src("'none'").base_uri(
"'self'").connect_src("'self'").frame_src("'none'").img_src(
"'self'", "data:", "https:").font_src(
"'self'",
"https://fonts.gstatic.com/s/",
"https://fonts.googleapis.com/css2",
).manifest_src("'self'").worker_src("'self'", "blob:"))
# feature_value = secure.PermissionsPolicy().geolocation("'none'").vibrate("'none'")
if app["config"].get("https", False):
csp_value = csp_value.upgrade_insecure_requests()
hsts_value = (secure.StrictTransportSecurity().include_subdomains().
preload().max_age(2592000))
else:
hsts_value = None
if app["config"].get("sentry_csp_url", False):
csp_value = csp_value.custom_directive("report-uri",
app["config"]["sentry_csp_url"])
else:
csp_value = csp_value.custom_directive("report-uri", "/csp")
xfo_value = secure.XFrameOptions().deny()
referrer_value = secure.ReferrerPolicy().no_referrer()
cache_value = secure.CacheControl().no_store().must_revalidate(
).proxy_revalidate()
app["secure_headers"] = secure.Secure(
server=server,
csp=csp_value,
hsts=hsts_value,
xfo=xfo_value,
referrer=referrer_value,
# permissions=feature_value,
cache=cache_value,
)
"""
Use secure.py to set OWASP approved headers.
Test security on by going to this site: https://securityheaders.com/
See: https://owasp.org/www-project-secure-headers/
Based on: https://secure.readthedocs.io/en/latest/frameworks.html#django
"""
import secure
secure_headers = secure.Secure()
def set_secure_headers(get_response):
def middleware(request):
response = get_response(request)
secure_headers.framework.django(response)
return response
return middleware
api = Api(app=app, prefix='/api')
auth_k = []
parser = reqparse.RequestParser()
conf = ConfigParser()
conf.read(filenames='./server.cfg')
def print_error(er):
print("[ERROR] "+str(er))
print("API kończy pracę")
exit(0)
try:
Sec = secure.Secure()
except Exception as e:
print_error(e)
try:
conn = psycopg2.connect(dbname=conf['SERVER_SQL']['Database'],
user=conf['SERVER_SQL']['User'],
host=conf['SERVER_SQL']['Address'],
password=conf['SERVER_SQL']['Password'])
conn.autocommit = True
cur = conn.cursor()
except Exception as e:
print_error(e)
def test_header(self):
cache = secure.CacheControl().no_cache()
secure_headers = secure.Secure(cache=cache).headers()
self.assertEqual(secure_headers["Cache-Control"], "no-cache")
def test_header(self):
referrer = secure.ReferrerPolicy().strict_origin()
secure_headers = secure.Secure(referrer=referrer).headers()
self.assertEqual(secure_headers["Referrer-Policy"], "strict-origin")
def test_header(self):
xfo = secure.XFrameOptions().deny()
secure_headers = secure.Secure(xfo=xfo).headers()
self.assertEqual(secure_headers["X-Frame-Options"], "deny")
app.register_blueprint(main_routes)
# disable CSRF for API
csrf.exempt(api_bp)
sess = Session()
sess.init_app(app)
csrf.init_app(app)
compress.init_app(app)
# secure headers
hsts = secure.StrictTransportSecurity().preload().max_age(2592000)
secure_headers = secure.Secure(hsts=hsts)
@app.after_request
def set_secure_headers(response):
secure_headers.framework.flask(response)
return response
cache = Cache(config={'CACHE_TYPE': 'simple', "CACHE_DEFAULT_TIMEOUT": 300})
cache.init_app(app)
if config['logs']['logging'] == '1':
# output to log file
logging.basicConfig(handlers=[
logging.FileHandler(config['logs']['log_file']),
import os
import sys
import flask
from flask import render_template
from flask import request
folder = os.path.abspath(os.path.join(os.path.dirname(__file__), '..'))
sys.path.insert(0, folder)
import secure
xss=secure.XXSSProtection().set("1; mode=block")
secure_headers = secure.Secure(xxp=xss)
app = flask.Flask(__name__)
@app.route('/')
def index():
return "Hello worldd!"
def get_latest_tasks():
return [
{'id': 1, 'description': 'write post', 'done': False},
{'id': 2, 'description': 'create examples', 'done': True},
{'id': 3, 'description': 'simplify examples', 'done': True},
{'id': 4, 'description': 'create images', 'done': False},
]
@app.route('/tasks')
def tasks():
my_tasks = get_latest_tasks()
return render_template('tasks.html', name='Johnny', tasks=my_tasks)
"""
extensions.py: init flask extensions
"""
import secure
csp = secure.ContentSecurityPolicy()
hsts = secure.StrictTransportSecurity()
xfo = secure.XFrameOptions().deny()
referrer = secure.ReferrerPolicy().strict_origin()
cache = secure.CacheControl().no_cache()
secure_headers = secure.Secure(csp=csp,
hsts=hsts,
xfo=xfo,
referrer=referrer,
cache=cache)