From b982c9c3f6e940860581bb00e87ac4b8855220a3 Mon Sep 17 00:00:00 2001
From: Albert Kolozsvari <albertartk@gmail.com>
Date: Wed, 6 Jan 2021 10:08:56 +0000
Subject: [PATCH] Add security headers

---
 canonicalwebteam/flask_base/app.py | 7 +++++++
 tests/test_flask_base.py           | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/canonicalwebteam/flask_base/app.py b/canonicalwebteam/flask_base/app.py
index 3329f99..7c2bb60 100644
--- a/canonicalwebteam/flask_base/app.py
+++ b/canonicalwebteam/flask_base/app.py
@@ -19,6 +19,12 @@
 )
 
 
+def set_security_headers(response):
+    response.headers["X-Frame-Options"] = "SAMEORIGIN"
+
+    return response
+
+
 def set_cache_control_headers(response):
     if flask.request.path.startswith("/_status"):
         response.cache_control.no_store = True
@@ -82,6 +88,7 @@ def __init__(
             )
         )
 
+        self.after_request(set_security_headers)
         self.after_request(set_cache_control_headers)
 
         self.context_processor(base_context)
diff --git a/tests/test_flask_base.py b/tests/test_flask_base.py
index cf86a30..c93f2da 100644
--- a/tests/test_flask_base.py
+++ b/tests/test_flask_base.py
@@ -52,6 +52,14 @@ def test_wsgi_app(self):
         app = self.create_app()
         self.assertIsInstance(app.wsgi_app, ProxyFix)
 
+    def test_security_headers(self):
+        with create_test_app().test_client() as client:
+            response = client.get("page")
+            self.assertEqual(
+                response.headers.get("X-Frame-Options"),
+                "SAMEORIGIN",
+            )
+
     def test_default_cache_headers(self):
         with create_test_app().test_client() as client:
             cached_response = client.get("page")