Security: Cross Site Scripting This commit fixes the Cross Site scripting attack by adding security headers in response packet. Partially Resolves openbmc/openbmc#2423 Change-Id: Ie0ea05408af3d841a54f528863ed1bf65a8c3ed7 Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>

commit: 91b46f89fdbfffd45010db29126bd4da495e69ed [log] [tgz]
author: Ratan Gupta <ratagupt@in.ibm.com> Sun Jan 14 12:52:23 2018 +0530
committer: Brad Bishop <bradleyb@fuzziesquirrel.com> Tue Jan 23 12:18:43 2018 -0500
tree: d9764d4474a72aa33be18bbbc3cfc6fef192c7ed
parent: b7fca9bc169be788bb6a55819e2dab923a6e03d4 [diff]
diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f172cdc..cda23df 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py

@@ -966,6 +966,14 @@
             response.add_header('Access-Control-Allow-Methods', method)
             response.add_header(
                 'Access-Control-Allow-Headers', 'Content-Type')
+            response.add_header('X-Frame-Options', 'deny')
+            response.add_header('X-Content-Type-Options', 'nosniff')
+            response.add_header('X-XSS-Protection', '1; mode=block')
+            response.add_header(
+                'Content-Security-Policy', "default-src 'self'")
+            response.add_header(
+                'Strict-Transport-Security',
+                'max-age=31536000; includeSubDomains; preload')
 
     def __init__(self, app):
         app.install_error_callback(self.error_callback)
commit	91b46f89fdbfffd45010db29126bd4da495e69ed	[log] [tgz]
author	Ratan Gupta <ratagupt@in.ibm.com>	Sun Jan 14 12:52:23 2018 +0530
committer	Brad Bishop <bradleyb@fuzziesquirrel.com>	Tue Jan 23 12:18:43 2018 -0500
tree	d9764d4474a72aa33be18bbbc3cfc6fef192c7ed
parent	b7fca9bc169be788bb6a55819e2dab923a6e03d4 [diff]