Bug 1337353: Set HSTS header in balrog responses (mozilla-releng#240)…

…. r=bhearsum
damidurodola · Feb 7, 2017 · bdb2c36 · bdb2c36
1 parent 3360d73
commit bdb2c36
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 0 deletions.
diff --git a/auslib/admin/base.py b/auslib/admin/base.py
@@ -63,6 +63,8 @@ def ise(error):
 def add_security_headers(response):
     response.headers['X-Frame-Options'] = 'DENY'
     response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers["Strict-Transport-Security"] = app.config.get("STRICT_TRANSPORT_SECURITY", "max-age=31536000;")
+    response.headers["Content-Security-Policy"] = app.config.get("CONTENT_SECURITY_POLICY", "default-src 'none'; frame-ancestors 'none'")
     return response
 
 

diff --git a/auslib/test/admin/views/test_base.py b/auslib/test/admin/views/test_base.py
@@ -11,6 +11,7 @@ def setUp(self):
         self.orig_handlers = self.logger.handlers
         self.logger.handlers = []
         self.level = self.logger.level
+        super(TestJsonLogFormatter, self).setUp()
 
     def tearDown(self):
         self.logger.handlers = self.orig_handlers
@@ -19,3 +20,11 @@ def tearDown(self):
     def testConfigureLogging(self):
         configure_logging()
         self.assertTrue(isinstance(self.logger.handlers[0].formatter, JsonLogFormatter))
+
+    def testStrictTransportSecurityIsSet(self):
+        ret = self.client.get('/rules')
+        self.assertEqual(ret.headers.get("Strict-Transport-Security"), "max-age=31536000;")
+
+    def testContentSecurityPolicyIsSet(self):
+        ret = self.client.get('/rules')
+        self.assertEqual(ret.headers.get("Content-Security-Policy"), "default-src 'none'; frame-ancestors 'none'")
diff --git a/auslib/test/web/test_client.py b/auslib/test/web/test_client.py
@@ -939,6 +939,26 @@ def testContentSecurityPolicyIsSetFor500(self):
             ret = self.client.get('/update/4/b/1.0/1/p/l/a/a/a/a/1/update.xml')
             self.assertEqual(ret.headers.get("Content-Security-Policy"), "default-src 'none'; frame-ancestors 'none'")
 
+    def testStrictTransportSecurityIsSet(self):
+        ret = self.client.get('/update/3/c/15.0/1/p/l/a/a/default/a/update.xml')
+        self.assertEqual(ret.headers.get("Strict-Transport-Security"), "max-age=31536000;")
+
+    def testStrictTransportSecurityIsSetFor404(self):
+        ret = self.client.get('/whizzybang')
+        self.assertEqual(ret.headers.get("Strict-Transport-Security"), "max-age=31536000;")
+
+    def testStrictTransportSecurityIsSetFor400(self):
+        with mock.patch('auslib.web.views.client.ClientRequestView.get') as m:
+            m.side_effect = BadDataError('I break!')
+            ret = self.client.get('/update/4/b/1.0/1/p/l/a/a/a/a/1/update.xml')
+            self.assertEqual(ret.headers.get("Strict-Transport-Security"), "max-age=31536000;")
+
+    def testStrictTransportSecurityIsSetFor500(self):
+        with mock.patch('auslib.web.views.client.ClientRequestView.get') as m:
+            m.side_effect = Exception('I break!')
+            ret = self.client.get('/update/4/b/1.0/1/p/l/a/a/a/a/1/update.xml')
+            self.assertEqual(ret.headers.get("Strict-Transport-Security"), "max-age=31536000;")
+
     def testXContentTypeOptionsIsSet(self):
         ret = self.client.get('/update/3/c/15.0/1/p/l/a/a/default/a/update.xml')
         self.assertEqual(ret.headers.get("X-Content-Type-Options"), "nosniff")

diff --git a/auslib/web/base.py b/auslib/web/base.py
@@ -35,6 +35,7 @@ def apply_security_headers(response):
     # We also need to set X-Content-Type-Options to nosniff for Firefox to obey this.
     # See https://bugzilla.mozilla.org/show_bug.cgi?id=1332829#c4 for background.
     response.headers["Content-Security-Policy"] = app.config.get("CONTENT_SECURITY_POLICY", "default-src 'none'; frame-ancestors 'none'")
+    response.headers["Strict-Transport-Security"] = app.config.get("STRICT_TRANSPORT_SECURITY", "max-age=31536000;")
     response.headers["X-Content-Type-Options"] = app.config.get("CONTENT_TYPE_OPTIONS", "nosniff")
     return response