fix-Added several fixes for findings found in API Security tooling

components/resc-backend/src/resc_backend/resc_web_service/api.py

@@ -4,8 +4,10 @@
 import os
 
 # Third Party
-from fastapi import Depends, FastAPI
+from fastapi import Depends, FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware import Middleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
 from starlette.responses import RedirectResponse
 from starlette.status import HTTP_302_FOUND
 from tenacity import RetryError
@@ -17,7 +19,8 @@
 from resc_backend.resc_web_service.dependencies import (
     check_db_initialized,
     requires_auth,
-    requires_no_auth
+    requires_no_auth,
+    add_security_headers
 )
 from resc_backend.resc_web_service.endpoints import (
     branches,
@@ -130,6 +133,11 @@ def generate_logger_config(log_file_path, debug=True):
 app.include_router(vcs_instances.router, prefix=RWS_VERSION_PREFIX)
 app.include_router(metrics.router, prefix=RWS_VERSION_PREFIX)
 
+
+# Apply the security headers to the app in the form of middleware
+app.middleware("http")(add_security_headers)
+
+
 # Add exception handlers
 add_exception_handlers(app=app)
 

components/resc-backend/src/resc_backend/resc_web_service/dependencies.py

@@ -84,6 +84,29 @@ async def requires_auth(request: Request, credentials: HTTPBasicCredentials = De
                             headers={"WWW-Authenticate": "Bearer"}) from error
 
 
+async def add_security_headers(request: Request, call_next):
+    """
+        Function that is used to add several security headers to the API
+    """
+    security_headers = {
+        "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+        "Cache-Control": "no-cache, no-store",
+        "Cross-Origin-Resource-Policy": "same-site",
+        "Referrer-Policy": "same-origin",
+        "X-Permitted-Cross-Domain-Policies": "none",
+        "X-Content-Type-Options": "nosniff",
+        "X-Frame-Options": "DENY",
+        "X-XSS-Protection": "1; mode=block",
+        "Content-Security-Policy": "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' data:;"
+                                   " style-src 'self' https://fonts.googleapis.com 'unsafe-inline';"
+                                   " frame-ancestors 'self'; form-action 'self';"
+    }
+    response = await call_next(request)
+    for header, value in security_headers.items():
+        response.headers[header] = value
+    return response
+
+
 def user_has_resc_operator_role(claims: dict) -> bool:
     """
         Function that is used to determine if the user has the RESC_OPERATOR_ROLE

components/resc-backend/tests/resc_backend/resc_web_service/endpoints/test_health.py

@@ -20,3 +20,24 @@ def test_health_check(self):
         assert response.status_code == 200, response.text
         data = response.json()
         assert data["status"] == "OK"
+
+    def test_correct_security_headers(self):
+        correct_security_headers = {
+            "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+            "Cache-Control": "no-cache, no-store",
+            "Cross-Origin-Resource-Policy": "same-site",
+            "Referrer-Policy": "same-origin",
+            "X-Permitted-Cross-Domain-Policies": "none",
+            "X-Content-Type-Options": "nosniff",
+            "X-Frame-Options": "DENY",
+            "X-XSS-Protection": "1; mode=block",
+            "Content-Security-Policy": "default-src 'none'; script-src 'self'; "
+                                       "connect-src 'self'; img-src 'self' data:;"
+                                       " style-src 'self' https://fonts.googleapis.com 'unsafe-inline';"
+                                       " frame-ancestors 'self'; form-action 'self';"
+        }
+        response = self.client.get(f"{RWS_VERSION_PREFIX}{RWS_ROUTE_HEALTH}")
+        assert response.status_code == 200, response.text
+        for header, value in correct_security_headers.items():
+            assert header in response.headers
+            assert value == response.headers[header]