From b5875764edfaec2b6377df03fdb281e1e196179b Mon Sep 17 00:00:00 2001
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Wed, 21 Sep 2016 14:41:42 -0700
Subject: [PATCH] [security] allowing to set static headers as configuration
 (#1126)

* [security] setting X-Frame-Options=SAMEORIGIN to prevent clickjacking

* Changing to a more flexible approach
---
 caravel/config.py | 6 ++++++
 caravel/views.py  | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/caravel/config.py b/caravel/config.py
index 8871d95b55..ca378d8cd6 100644
--- a/caravel/config.py
+++ b/caravel/config.py
@@ -220,6 +220,12 @@ CELERY_CONFIG = None
 SQL_CELERY_DB_FILE_PATH = os.path.join(DATA_DIR, 'celerydb.sqlite')
 SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR, 'celery_results.sqlite')
 
+# static http headers to be served by your Caravel server.
+# The following example prevents iFrame from other domains
+# and "clickjacking" as a result
+# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+HTTP_HEADERS = {}
+
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None
 
diff --git a/caravel/views.py b/caravel/views.py
index 7b6df5e684..563db9f224 100755
--- a/caravel/views.py
+++ b/caravel/views.py
@@ -1796,6 +1796,14 @@ appbuilder.add_link(
     icon="fa-flask")
 
 
+@app.after_request
+def apply_caching(response):
+    """Applies the configuration's http headers to all responses"""
+    for k, v in config.get('HTTP_HEADERS').items():
+        response.headers[k] = v
+    return response
+
+
 # ---------------------------------------------------------------------
 # Redirecting URL from previous names
 class RegexConverter(BaseConverter):