fecgov · pkfec · Aug 30, 2019 · Aug 22, 2019 · Aug 22, 2019 · Aug 28, 2019
diff --git a/fec/fec/middleware.py b/fec/fec/middleware.py
@@ -0,0 +1,31 @@
+from django.utils.deprecation import MiddlewareMixin
+from django.conf import settings
+
+
+class AddSecureHeaders(MiddlewareMixin):
+    """Add secure headers to each response"""
+
+    def process_response(self, request, response):
+
+        # Report violations to the API due to CSRF issue with Django route
+        REPORT_URI = "{0}/report-csp-violation/?api_key={1}".format(
+            settings.FEC_API_URL, settings.FEC_API_KEY_PUBLIC
+        )
+        content_security_policy = {
+            "default-src": "'self' *.fec.gov *.app.cloud.gov https://www.google-analytics.com",
+            "frame-src": "'self' https://www.google.com/recaptcha/",
+            "img-src": "'self' data: https://*.ssl.fastly.net https://www.google-analytics.com *.app.cloud.gov",
+            "script-src": "'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov",
+            "style-src": "'self' data: 'unsafe-inline'",
+            "object-src": "'none'",
+            "report-uri": REPORT_URI,
+        }
+        if settings.FEC_CMS_ENVIRONMENT == 'LOCAL':
+            content_security_policy["default-src"] += " localhost:* http://127.0.0.1:*"
+
+        response["Content-Security-Policy"] = "".join(
+            "{0} {1}; ".format(directive, value)
+            for directive, value in content_security_policy.items()
+        )
+        response["cache-control"] = "max-age=600"
+        return response
diff --git a/fec/fec/settings/base.py b/fec/fec/settings/base.py
@@ -110,6 +110,7 @@
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
+    'fec.middleware.AddSecureHeaders',  # custom response headers
     'uaa_client.middleware.UaaRefreshMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
@@ -122,6 +123,10 @@
     'audit_log.middleware.UserLoggingMiddleware',
 )
 
+CSRF_TRUSTED_ORIGINS = ["fec.gov", "app.cloud.gov"]
+if FEC_CMS_ENVIRONMENT == 'LOCAL':
+    CSRF_TRUSTED_ORIGINS.extend(["127.0.0.1:5000"])
+
 ROOT_URLCONF = 'fec.urls'
 
 from data import constants