This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new cecb5d6 Add HSTS response header (#566)
cecb5d6 is described below
commit cecb5d613e3eee1353cb3cd31237ecd7169c4ca8
Author: Dave Fisher <[email protected]>
AuthorDate: Tue Jan 20 14:04:00 2026 -0800
Add HSTS response header (#566)
---
atr/server.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/atr/server.py b/atr/server.py
index cd76bf9..263f6e1 100644
--- a/atr/server.py
+++ b/atr/server.py
@@ -413,6 +413,7 @@ def _app_setup_security_headers(app: base.QuartApp) -> None:
# X-Content-Type-Options: nosniff is required by ASVS v5 3.4.4 (L2)
# A strict Referrer-Policy is required by ASVS v5 3.4.5 (L2)
+ # HSTS is required by ASVS v5 9.2.1 (L1)
# ASVS does not specify exactly what is meant by strict
# We can't use Referrer-Policy: no-referrer because it breaks form
redirection
# TODO: We could automatically include a form field noting the form action
URL
@@ -424,6 +425,7 @@ def _app_setup_security_headers(app: base.QuartApp) -> None:
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-Permitted-Cross-Domain-Policies"] = "none"
+ response.headers["Strict-Transport-Security"] = "max-age=31536000;
includeSubDomains"
return response
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
