From fc46cc95cd2b73b36d38053aa17ffe95c46c2e78 Mon Sep 17 00:00:00 2001
From: Allen Short <ashort@mozilla.com>
Date: Wed, 27 Sep 2017 21:18:32 +0000
Subject: [PATCH] secure cookies, add X-Content-Type-Options header (bug
 1371613)

---
 redash/__init__.py          | 5 +++++
 redash/settings/__init__.py | 1 +
 2 files changed, 6 insertions(+)

diff --git a/redash/__init__.py b/redash/__init__.py
index bd9a8e5859..233f44196b 100644
--- a/redash/__init__.py
+++ b/redash/__init__.py
@@ -128,6 +128,11 @@ def create_app(load_admin=True):
     app.config['SQLALCHEMY_DATABASE_URI'] = settings.SQLALCHEMY_DATABASE_URI
     app.config.update(settings.all_settings())
 
+    def set_response_headers(response):
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        return response
+
+    app.after_request(set_response_headers)
     provision_app(app)
     db.init_app(app)
     migrate.init_app(app, db)
diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py
index 44cb71eef4..5fd36c9941 100644
--- a/redash/settings/__init__.py
+++ b/redash/settings/__init__.py
@@ -14,6 +14,7 @@ def all_settings():
 
     return settings
 
+SESSION_COOKIE_SECURE = True
 REDIS_URL = os.environ.get('REDASH_REDIS_URL', os.environ.get('REDIS_URL', "redis://localhost:6379/0"))
 PROXIES_COUNT = int(os.environ.get('REDASH_PROXIES_COUNT', "1"))