Skip to content

Instantly share code, notes, and snippets.

@edelbluth
Last active Aug 29, 2015
Embed
What would you like to do?
Mount a CherryPy Application with additional header security
"""
References:
[LUH] https://www.owasp.org/index.php/List_of_useful_HTTP_headers
[XFO] https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
[CSP] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Bonus_Rule_.232:_Implement_Content_Security_Policy
"""
_csp_sources = ['default', 'script', 'style', 'img', 'connect', 'font', 'object', 'media', 'frame']
_csp_default_source = "'self'"
_csp_rules = list()
for c in _csp_sources:
_csp_rules.append('{:s}-src {:s}'.format(c, _csp_default_source))
_csp = '; '.join(_csp_rules)
cherrypy.tree.mount(App(), '/', {
'/': {
'tools.encode.on': False,
'tools.response_headers.on': True,
'tools.response_headers.headers': [
('X-Frame-Options', 'DENY'), # [XFO]
('X-XSS-Protection', '1; mode=block'), # [LUH]
('Content-Security-Policy', _csp), # [CSP]
('X-Content-Security-Policy', _csp), # [CSP]
('X-Webkit-CSP', _csp), # [CSP]
('X-Content-Type-Options', 'nosniff') # [LUH]
]
}
})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment