secure cookies, add X-Content-Type-Options header (bug 1371613)

mozilla · Sep 6, 2018 · fc46cc9 · fc46cc9
1 parent 5d20a19
commit fc46cc9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/redash/__init__.py b/redash/__init__.py
@@ -128,6 +128,11 @@ def create_app(load_admin=True):
     app.config['SQLALCHEMY_DATABASE_URI'] = settings.SQLALCHEMY_DATABASE_URI
     app.config.update(settings.all_settings())
 
+    def set_response_headers(response):
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        return response
+
+    app.after_request(set_response_headers)
     provision_app(app)
     db.init_app(app)
     migrate.init_app(app, db)

diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py
@@ -14,6 +14,7 @@ def all_settings():
 
     return settings
 
+SESSION_COOKIE_SECURE = True
 REDIS_URL = os.environ.get('REDASH_REDIS_URL', os.environ.get('REDIS_URL', "redis://localhost:6379/0"))
 PROXIES_COUNT = int(os.environ.get('REDASH_PROXIES_COUNT', "1"))