[security] allowing to set static headers as configuration (#1126)

* [security] setting X-Frame-Options=SAMEORIGIN to prevent clickjacking * Changing to a more flexible approach
2016-09-21 14:41:42 -07:00 · 2016-09-21 14:41:42 -07:00 · b5875764ed
parent f1e80a8e1b
commit b5875764ed
2 changed files with 14 additions and 0 deletions
--- a/caravel/config.py
+++ b/caravel/config.py
@ -220,6 +220,12 @@ CELERY_CONFIG = None
 SQL_CELERY_DB_FILE_PATH = os.path.join(DATA_DIR, 'celerydb.sqlite')
 SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR, 'celery_results.sqlite')

+# static http headers to be served by your Caravel server.
+# The following example prevents iFrame from other domains
+# and "clickjacking" as a result
+# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+HTTP_HEADERS = {}
+
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None

--- a/caravel/views.py
+++ b/caravel/views.py
@ -1796,6 +1796,14 @@ appbuilder.add_link(
    icon="fa-flask")


+@app.after_request
+def apply_caching(response):
+    """Applies the configuration's http headers to all responses"""
+    for k, v in config.get('HTTP_HEADERS').items():
+        response.headers[k] = v
+    return response
+
+
 # ---------------------------------------------------------------------
 # Redirecting URL from previous names
 class RegexConverter(BaseConverter):