def test_headers(self): secure_headers = secure.Secure().headers() self.assertEqual( secure_headers["Strict-Transport-Security"], "max-age=63072000; includeSubdomains", ) self.assertEqual( secure_headers["X-Frame-Options"], "SAMEORIGIN", ) self.assertEqual( secure_headers["X-XSS-Protection"], "0", ) self.assertEqual( secure_headers["X-Content-Type-Options"], "nosniff", ) self.assertEqual( secure_headers["Referrer-Policy"], "no-referrer, strict-origin-when-cross-origin", ) self.assertEqual( secure_headers["Cache-Control"], "no-store", )
def __init__(self, web_config, config): """Initialize web server Args: web_config: config settings for web interface (interface, port, root path) config: SpiderFoot config Raises: TypeError: arg type is invalid ValueError: arg value is invalid """ if not isinstance(config, dict): raise TypeError(f"config is {type(config)}; expected dict()") if not config: raise ValueError("config is empty") if not isinstance(web_config, dict): raise TypeError(f"web_config is {type(web_config)}; expected dict()") if not config: raise ValueError("web_config is empty") self.docroot = web_config.get('root', '/').rstrip('/') # 'config' supplied will be the defaults, let's supplement them # now with any configuration which may have previously been saved. self.defaultConfig = deepcopy(config) dbh = SpiderFootDb(self.defaultConfig) sf = SpiderFoot(self.defaultConfig) self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig) cherrypy.config.update({ 'error_page.401': self.error_page_401, 'error_page.404': self.error_page_404, 'request.error_response': self.error_page }) csp = ( secure.ContentSecurityPolicy() .default_src("'self'") .script_src("'self'", "'unsafe-inline'", "blob:") .style_src("'self'", "'unsafe-inline'") .base_uri("'self'") .connect_src("'self'", "data:") .frame_src("'self'", 'data:') .img_src("'self'", "data:") ) secure_headers = secure.Secure( server=secure.Server().set("server"), cache=secure.CacheControl().must_revalidate(), csp=csp, referrer=secure.ReferrerPolicy().no_referrer(), ) cherrypy.config.update({ "tools.response_headers.on": True, "tools.response_headers.headers": secure_headers.framework.cherrypy() })
def test_header(self): permissions = (secure.PermissionsPolicy().geolocation( "self", '"spam.com"').fullscreen()) secure_headers = secure.Secure(permissions=permissions).headers() self.assertEqual( secure_headers["Permissions-Policy"], 'geolocation=(self "spam.com"), fullscreen=()', )
def test_header(self): hsts = (secure.StrictTransportSecurity().include_subdomains().preload( ).max_age(2592000)) secure_headers = secure.Secure(hsts=hsts).headers() self.assertEqual( secure_headers["Strict-Transport-Security"], "includeSubDomains; preload; max-age=2592000", )
def test_header(self): csp = (secure.ContentSecurityPolicy().default_src("'none'").base_uri( "'self'").connect_src("'self'", "api.spam.com").frame_src("'none'").img_src( "'self'", "static.spam.com")) secure_headers = secure.Secure(csp=csp).headers() self.assertEqual( secure_headers["Content-Security-Policy"], "default-src 'none'; base-uri 'self'; " "connect-src 'self' api.spam.com; frame-src 'none'; img-src 'self' " "static.spam.com", )
def setup(app): """Set secure headers values. Parameters ---------- app : aiohttp.web.Application The aiohttp application instance. """ server = secure.Server().set("Secure") csp_value = (secure.ContentSecurityPolicy().default_src("'none'").base_uri( "'self'").connect_src("'self'").frame_src("'none'").img_src( "'self'", "data:", "https:").font_src( "'self'", "https://fonts.gstatic.com/s/", "https://fonts.googleapis.com/css2", ).manifest_src("'self'").worker_src("'self'", "blob:")) # feature_value = secure.PermissionsPolicy().geolocation("'none'").vibrate("'none'") if app["config"].get("https", False): csp_value = csp_value.upgrade_insecure_requests() hsts_value = (secure.StrictTransportSecurity().include_subdomains(). preload().max_age(2592000)) else: hsts_value = None if app["config"].get("sentry_csp_url", False): csp_value = csp_value.custom_directive("report-uri", app["config"]["sentry_csp_url"]) else: csp_value = csp_value.custom_directive("report-uri", "/csp") xfo_value = secure.XFrameOptions().deny() referrer_value = secure.ReferrerPolicy().no_referrer() cache_value = secure.CacheControl().no_store().must_revalidate( ).proxy_revalidate() app["secure_headers"] = secure.Secure( server=server, csp=csp_value, hsts=hsts_value, xfo=xfo_value, referrer=referrer_value, # permissions=feature_value, cache=cache_value, )
""" Use secure.py to set OWASP approved headers. Test security on by going to this site: https://securityheaders.com/ See: https://owasp.org/www-project-secure-headers/ Based on: https://secure.readthedocs.io/en/latest/frameworks.html#django """ import secure secure_headers = secure.Secure() def set_secure_headers(get_response): def middleware(request): response = get_response(request) secure_headers.framework.django(response) return response return middleware
api = Api(app=app, prefix='/api') auth_k = [] parser = reqparse.RequestParser() conf = ConfigParser() conf.read(filenames='./server.cfg') def print_error(er): print("[ERROR] "+str(er)) print("API kończy pracę") exit(0) try: Sec = secure.Secure() except Exception as e: print_error(e) try: conn = psycopg2.connect(dbname=conf['SERVER_SQL']['Database'], user=conf['SERVER_SQL']['User'], host=conf['SERVER_SQL']['Address'], password=conf['SERVER_SQL']['Password']) conn.autocommit = True cur = conn.cursor() except Exception as e: print_error(e)
def test_header(self): cache = secure.CacheControl().no_cache() secure_headers = secure.Secure(cache=cache).headers() self.assertEqual(secure_headers["Cache-Control"], "no-cache")
def test_header(self): referrer = secure.ReferrerPolicy().strict_origin() secure_headers = secure.Secure(referrer=referrer).headers() self.assertEqual(secure_headers["Referrer-Policy"], "strict-origin")
def test_header(self): xfo = secure.XFrameOptions().deny() secure_headers = secure.Secure(xfo=xfo).headers() self.assertEqual(secure_headers["X-Frame-Options"], "deny")
app.register_blueprint(main_routes) # disable CSRF for API csrf.exempt(api_bp) sess = Session() sess.init_app(app) csrf.init_app(app) compress.init_app(app) # secure headers hsts = secure.StrictTransportSecurity().preload().max_age(2592000) secure_headers = secure.Secure(hsts=hsts) @app.after_request def set_secure_headers(response): secure_headers.framework.flask(response) return response cache = Cache(config={'CACHE_TYPE': 'simple', "CACHE_DEFAULT_TIMEOUT": 300}) cache.init_app(app) if config['logs']['logging'] == '1': # output to log file logging.basicConfig(handlers=[ logging.FileHandler(config['logs']['log_file']),
import os import sys import flask from flask import render_template from flask import request folder = os.path.abspath(os.path.join(os.path.dirname(__file__), '..')) sys.path.insert(0, folder) import secure xss=secure.XXSSProtection().set("1; mode=block") secure_headers = secure.Secure(xxp=xss) app = flask.Flask(__name__) @app.route('/') def index(): return "Hello worldd!" def get_latest_tasks(): return [ {'id': 1, 'description': 'write post', 'done': False}, {'id': 2, 'description': 'create examples', 'done': True}, {'id': 3, 'description': 'simplify examples', 'done': True}, {'id': 4, 'description': 'create images', 'done': False}, ] @app.route('/tasks') def tasks(): my_tasks = get_latest_tasks() return render_template('tasks.html', name='Johnny', tasks=my_tasks)
""" extensions.py: init flask extensions """ import secure csp = secure.ContentSecurityPolicy() hsts = secure.StrictTransportSecurity() xfo = secure.XFrameOptions().deny() referrer = secure.ReferrerPolicy().strict_origin() cache = secure.CacheControl().no_cache() secure_headers = secure.Secure(csp=csp, hsts=hsts, xfo=xfo, referrer=referrer, cache=cache)