Source code for

from aspen import Response

_requesting_asset = lambda r: r.path.raw.startswith('/assets/')

def only_allow_certain_methods(request):
    method = request.method.upper()
    whitelist = ('GET', 'HEAD') if _requesting_asset(request) else ('GET', 'HEAD', 'POST')
    # POSTing to /assets/ interferes with the csrf.* functions if we're not careful
    if method not in whitelist:
        raise Response(405)

[docs]def add_headers_to_response(response): """Add security headers. """ # if 'X-Frame-Options' not in response.headers: response.headers['X-Frame-Options'] = 'SAMEORIGIN' elif response.headers['X-Frame-Options'] == 'ALLOWALL': # ALLOWALL is non-standard. It's useful as a signal from a simplate # that it doesn't want X-Frame-Options set at all, but because it's # non-standard we don't send it. Instead we unset the header entirely, # which has the desired effect of allowing framing indiscriminately. # # Refs.: # # # del response.headers['X-Frame-Options'] # if 'X-Content-Type-Options' not in response.headers: response.headers['X-Content-Type-Options'] = 'nosniff' # if 'X-XSS-Protection' not in response.headers: response.headers['X-XSS-Protection'] = '1; mode=block' # CSP - # Allow resources from & # Allow images from everywhere for now until we can deploy Camo. # Allow fonts from if 'content-security-policy' not in response.headers: response.headers['content-security-policy'] = ("default-src 'self';" "script-src 'unsafe-inline';" 'style-src;' 'img-src *;' 'font-src;' 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;')