This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch hsts-header in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit d97220a55f2528de2808bee64b5165e103c2fd34 Author: Dave Fisher <[email protected]> AuthorDate: Tue Jan 20 13:32:28 2026 -0800 Add HSTS response header --- atr/server.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atr/server.py b/atr/server.py index cd76bf9..263f6e1 100644 --- a/atr/server.py +++ b/atr/server.py @@ -413,6 +413,7 @@ def _app_setup_security_headers(app: base.QuartApp) -> None: # X-Content-Type-Options: nosniff is required by ASVS v5 3.4.4 (L2) # A strict Referrer-Policy is required by ASVS v5 3.4.5 (L2) + # HSTS is required by ASVS v5 9.2.1 (L1) # ASVS does not specify exactly what is meant by strict # We can't use Referrer-Policy: no-referrer because it breaks form redirection # TODO: We could automatically include a form field noting the form action URL @@ -424,6 +425,7 @@ def _app_setup_security_headers(app: base.QuartApp) -> None: response.headers["X-Content-Type-Options"] = "nosniff" response.headers["X-Frame-Options"] = "DENY" response.headers["X-Permitted-Cross-Domain-Policies"] = "none" + response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" return response --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
